The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other's DOM with no specific restrictions, but prevents access to DOM on different sites. Same-origin policy also applies to
CORS configuration is server-side.
A server using
"Access-Control-Allow-Origin: *" allows all domains, it is very bad.
By responding with
Access-Control-Allow-Origin: *, the requested resource allows sharing with every origin. This basically means that any site can send an XHR request to your site and access the server’s response which would not be the case if you hadn’t implemented this CORS response.
So any site can make a request to your site on behalf of their visitors and process its response. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them too.
When accessing a ressource from a website with a different domain/port, recent browsers refuse to interpret response because of CORS mechanism. The server needs to put some headers to allow browsers to interpret responses.
"Access-Control-Allow-Origin: *"allow all domains
"Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com"specify a defined domain list.
"Access-Control-Allow-Credentials: true"to also send the cookies
Server MUST return
Access-Control-Expose-Headers containing the exposed headers.
Need to add a route for
OPTIONS http method and a suited controller.
route ex :
OPTIONS /*path controllers.CorsCtrl.checkPreFlight(path)