diff --git a/dongjian-center-admin-controller/src/main/java/com/dongjian/datacenter/admin/configurator/CrosXssFilter.java b/dongjian-center-admin-controller/src/main/java/com/dongjian/datacenter/admin/configurator/CrosXssFilter.java
index fcb1788..374ac06 100644
--- a/dongjian-center-admin-controller/src/main/java/com/dongjian/datacenter/admin/configurator/CrosXssFilter.java
+++ b/dongjian-center-admin-controller/src/main/java/com/dongjian/datacenter/admin/configurator/CrosXssFilter.java
@@ -51,10 +51,22 @@ public class CrosXssFilter implements Filter {
                     HttpServletRequest httpRequest = (HttpServletRequest) request;
 
                     String referer = httpRequest.getHeader("Referer");
-                    if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)
-                            && !referer.startsWith(accessControlAllowOrigin)) {
-                        httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
-                        return;
+                    if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) {
+                        // 允许多个域名，逗号分隔
+                        String[] allowedOrigins = accessControlAllowOrigin.split(",");
+                        boolean matched = false;
+                        for (String origin : allowedOrigins) {
+                            origin = origin.trim();
+                            if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) {
+                                matched = true;
+                                break;
+                            }
+                        }
+                        // 如果一个都不匹配，则返回 403
+                        if (!matched) {
+                            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
+                            return;
+                        }
                     }