根据DaveRandom的回答，我也在玩，发现了一些东西比较简单，产生相同的结果，而不使用任何重写规则：

Based on DaveRandom's answer, I was also playing around and found something a bit simpler that produces the same result without using any rewrite rules:

SetEnvIf Origin ^(https?://.+\.mywebsite\.com(?::\d{1,5})?)$   CORS_ALLOW_ORIGIN=$1
Header append Access-Control-Allow-Origin  %{CORS_ALLOW_ORIGIN}e   env=CORS_ALLOW_ORIGIN
Header merge  Vary "Origin"

就是这样。

那些想在父域上启用CORS的用户（例如mywebsite.com）除了其所有的子域名可以简单地替换第一行中的正则表达式与这一个：

Those who want to enable CORS on the parent domain (e.g. mywebsite.com) in addition to all its subdomains can simply replace the regular expression in the first line with this one:

^（https？ //(?:.+ \。）？mywebsite\.com（？:: \d {1,5}）？）$ 。

注意：对于规范合规性和正确的缓存行为，ALWAYS为CORS启用的资源添加 Vary：Origin 响应头，即使对于非CORS请求和来自不允许的源的请求头（参见为什么）。

Note: For spec compliance and correct caching behavior, ALWAYS add the Vary: Origin response header for CORS-enabled resources, even for non-CORS requests and those from a disallowed origin (see example why).