Configuring Cross-Domain Requests
PersonalizeWP v3.1 provides developers with programmatic control over cross-domain access through WordPress filter hooks. This advanced feature allows you to dynamically manage allowed origins beyond the standard API key interface, enabling complex deployment scenarios and automated domain management.
Overview
The cross-domain configuration system uses WordPress's filter architecture to extend PersonalizeWP's CORS functionality. While the Authentication settings panel provides manual API key management, the filter system enables programmatic control over allowed domains, making it ideal for dynamic environments, automated deployments, or situations requiring conditional domain access.
The personalizewp_allowed_origins filter intercepts PersonalizeWP's domain validation process, allowing developers to modify the list of permitted origins before CORS headers are set. This approach maintains PersonalizeWP's security framework whilst providing the flexibility needed for advanced implementations.
Prerequisites
Before implementing cross-domain filters:
- PersonalizeWP Pro must be installed and activated
- Basic understanding of WordPress filter hooks and PHP development
- Access to your theme's functions.php file or a custom plugin
- Understanding of CORS principles and domain validation
- Familiarity with your deployment architecture and domain requirements
Understanding the Filter Hook
Filter Structure
The personalizewp_allowed_origins filter receives an array of currently allowed origins and expects a modified array in return. The filter fires during CORS validation, giving you the opportunity to add or modify domains before security checks occur.
Default Behaviour
Without custom filter implementation, PersonalizeWP allows origins based on the automatic site token and manually created API keys. The filter extends this functionality by enabling runtime domain decisions based on your custom logic.
Filter Priority
The filter operates at standard WordPress priority levels, allowing you to control when your modifications occur relative to other plugins or theme functions that might also modify allowed origins.
Basic Filter Implementation
Adding Static Domains
The simplest implementation adds fixed domains to the allowed origins list. This approach works well when you have known domains that need access but prefer programmatic configuration over manual API key management.
add_filter('personalizewp_allowed_origins', function($origins) {
return array_merge($origins, [
'https://app.mysite.com',
'https://mobile.mysite.com'
]);
});
Environment-Based Configuration
More sophisticated implementations can vary allowed domains based on the current environment, enabling different domain access for development, staging, and production environments.
add_filter('personalizewp_allowed_origins', function($origins) {
if (wp_get_environment_type() === 'development') {
$origins[] = 'https://dev.mysite.com';
$origins[] = 'http://localhost:3000';
}
if (wp_get_environment_type() === 'staging') {
$origins[] = 'https://staging.mysite.com';
}
return $origins;
});
Advanced Configuration Options
Dynamic Domain Detection
Advanced implementations can determine allowed domains dynamically based on database values, external API calls, or other runtime conditions. This approach enables fully automated domain management based on your application's specific requirements.
The filter can query custom options, user meta, or external services to build the allowed origins list, providing maximum flexibility for complex deployment scenarios.
Conditional Access Logic
You can implement complex conditional logic within the filter to grant access based on specific criteria such as user roles, time-based restrictions, or external validation services.
add_filter('personalizewp_allowed_origins', function($origins) {
// Add partner domains during business hours
$current_hour = date('H');
if ($current_hour >= 9 && $current_hour <= 17) {
$origins[] = 'https://partner.example.com';
}
// Add premium domains for sites with specific options
if (get_option('enable_premium_integrations')) {
$premium_domains = get_option('premium_allowed_domains', []);
$origins = array_merge($origins, $premium_domains);
}
return $origins;
});
Multisite Integration
For WordPress multisite installations, the filter can implement site-specific logic that varies allowed domains based on the current site or network configuration.
The filter has access to multisite functions, enabling domain lists that adapt to different sites within your network whilst maintaining appropriate security boundaries.
Troubleshooting
Filter Not Executing
If your filter doesn't appear to be running, verify the hook name is spelled correctly as personalizewp_allowed_origins and that your code is being executed in the proper context. Check that PersonalizeWP Pro is active and that API requests are actually reaching your WordPress installation.
Domains Not Being Allowed
When domains added through the filter aren't being accepted, ensure your filter is returning a properly formatted array and that the domains include proper protocols. Use WordPress debugging tools to verify your filter is being called and returning expected values.
Performance Issues
If implementing the filter causes performance problems, review your logic for expensive operations that could be cached or optimized. Consider whether your domain validation logic is too complex for the frequency of API requests your site receives.
Security Conflicts
When experiencing security-related issues after implementing custom filters, verify that your added domains don't conflict with PersonalizeWP's existing security measures. Test thoroughly in development environments before deploying filter changes to production.
Array Handling Problems
Common issues arise from improper array handling within the filter, such as overwriting existing origins instead of merging them, or returning malformed array structures. Always use array_merge() or similar functions to preserve existing allowed origins whilst adding your custom domains.
The cross-domain configuration system provides enterprise-level flexibility for managing PersonalizeWP access across complex architectures whilst maintaining the security and performance standards required for production environments.