What defenitely should work is setting the CORS origin to a wildcard
This will allow access from ANY source. A little note from the W3 wiki:
Agreed, this wildcard CORS should always work for C3 Ajax calls and for brief testing runs it should be fine. You don't want it set to that for any releases. The small script I posted earlier in this thread will allow for requests from multiple sites without opening requests up to everyone (something CORS doesn't do without help). The trick is, to find out what origin is accessing the script in the first place.
To find out use this script:
$http_origin = $_SERVER['HTTP_ORIGIN'];
$myfile = fopen("origins.txt", "a") or die("Unable to open file!");
if ($http_origin == "https://preview.construct.net" || $http_origin == "https://www.myserver.com")
In theory, when C3 does an Ajax call to the php script it will create or append to a text file on the server called origins.txt. In that text file will be the origin of the requester. Once you have a proper origin name, you can add it to the script like this:
if ($http_origin == "https://preview.construct.net" || $http_origin == "https://www.myserver.com" || $http_origin == "https://www.anotherorigin.com")
Once you get the origin from the text file, you can comment out these 3 lines until you need them again:
//$myfile = fopen("origins.txt", "a") or die("Unable to open file!");
This will allow you to have multiple origins as being valid without opening the script to the entire planet with the wildcard.