WILT: Regex for Cross Site

With web pages and javascript requests, if you're going from one domain (e.g. vonexplaino.com) to another domain (e.g. nerdvana.org.au) then you're going (a)Cross Domains. These Cross Domain requests are blocked by browsers for security and politeness reasons, but for valid uses the target site can permit a cross domain request. The http header Access-Control-Allow-Origin can specify a single domain that can access your content, or everyone. This is pretty limiting. So with Apache, there's configuration you can put in place to query and validate the request Origin and, if you like it, set that header for that domain. I had built a Status page at work with AJAX endpoints for embedding service status in various other pages. So to allow that:

1Header unset Access-Control-Allow-Origin
2SetEnvIf Origin ^https?:\/\/(.*\.)?server\.com$ AccessControlAllowOrigin=$0
3Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
4Header merge Vary "Origin"

1. Unset any existing Access-Control-Allow-Origin
2. If the Origin matches the regex ^https?:\/\/(.*\.)?server\.com$ (any subdomain of server.com, or just server.com), then set the variable AccessControlAllowOrigin to the entire Origin string
3. Set the Access-Control-Allow-Origin header to that variable if it's set.
4. Profit

Now that works fine ... if you don't have dev servers that are accessed via ports. I suddenly did. Nuts. Doing a search I found the regex ^https?:\/\/(.*\.)?server\.com(?::d{1,5})$ - adding a nice little Negative look ahead. I tried it. Didn't work. I thought about it and realised negative look ahead was not what I wanted. Idiot. What I wanted was :\d{1,5} (so : followed by 1-5 numbers) or nothing. That's a simple | or:

^https?:\/\/(.*\.)?server\.com(|:\d{1,5})$

Success.