diff --git a/apps/common/middleware/cross_domain_middleware.py b/apps/common/middleware/cross_domain_middleware.py
index 499854e60f4..d116dd7b7b8 100644
--- a/apps/common/middleware/cross_domain_middleware.py
+++ b/apps/common/middleware/cross_domain_middleware.py
@@ -17,27 +17,23 @@ class CrossDomainMiddleware(MiddlewareMixin):
 
     def process_request(self, request):
         if request.method == 'OPTIONS':
-            auth = request.META.get('HTTP_AUTHORIZATION')
-            if auth is not None and str(auth).startswith("application-"):
-                application_api_key = QuerySet(ApplicationApiKey).filter(secret_key=auth).first()
-                if application_api_key.allow_cross_domain:
-                    return HttpResponse(status=200,
-                                        headers={
-                                            "Access-Control-Allow-Origin": "*" if application_api_key.cross_domain_list is None or len(
-                                                application_api_key.cross_domain_list) == 0 else ",".join(
-                                                application_api_key.cross_domain_list),
-                                            "Access-Control-Allow-Methods": "GET,POST,DELETE,PUT",
-                                            "Access-Control-Allow-Headers": "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"})
+            return HttpResponse(status=200,
+                                headers={
+                                    "Access-Control-Allow-Origin": "*",
+                                    "Access-Control-Allow-Methods": "GET,POST,DELETE,PUT",
+                                    "Access-Control-Allow-Headers": "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"})
 
     def process_response(self, request, response):
         auth = request.META.get('HTTP_AUTHORIZATION')
-        if auth is not None and str(auth).startswith("application-"):
+        origin = request.META.get('HTTP_ORIGIN')
+        if auth is not None and str(auth).startswith("application-") and origin is not None:
             application_api_key = QuerySet(ApplicationApiKey).filter(secret_key=auth).first()
             if application_api_key.allow_cross_domain:
-                response['Access-Control-Allow-Origin'] = "*" if application_api_key.cross_domain_list is None or len(
-                    application_api_key.cross_domain_list) == 0 else ",".join(
-                    application_api_key.cross_domain_list)
                 response['Access-Control-Allow-Methods'] = 'GET,POST,DELETE,PUT'
                 response[
                     'Access-Control-Allow-Headers'] = "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"
+                if application_api_key.cross_domain_list is None or len(application_api_key.cross_domain_list) == 0:
+                    response['Access-Control-Allow-Origin'] = "*"
+                elif application_api_key.cross_domain_list.__contains__(origin):
+                    response['Access-Control-Allow-Origin'] = origin
         return response