Matomo is an analytics platform that collects data (Tracking API) and reports (Analytics API) this data in interesting formats. Sometimes you want to query this data from across other domains for example using cross-domain Ajax calls (XMLHttpRequest).

By default browsers implement the same-origin policy which prevents browsers from directly requesting data from other domains. Luckily, modern web browsers allow developers to perform cross-domain requests with one trick: the server must allow cross-domain requests by responding to the request with the Access-Control-Allow-Origin header set to a value that includes the domain of the requesting code, for example Access-Control-Allow-Origin: https://example.com. You can also set the header to * to match and allow all domains.

You can set your domain names for CORS in the Matomo GUI, the feature can be found in Administration > System > General settings

cors

Alternatively you can set the domains in the config.ini.php file. To allow your Matomo to serve data to all domains add the following to your config file:

[General]
cors_domains[] = *

To allow Matomo to serve cross-domain requests to only example.com and dashboard.example.com

[General]
cors_domains[] = "http://example.com"
cors_domains[] = "http://dashboard.example.com"

Reference: Cross-origin resource sharing.

If you are using the Heatmaps and Session Recordings plugin you may also need to add Access-Control-Allow-Origin: * to your websites configuration (The websites where you are installing the Matomo tracking code) in order to allow Matomo to access the specific resources required for the Heatmaps and Session Recordings plugin.