-1

I'm developing a web application. During development, I want my locally hosted application can send xmlhttprequest to another domain.

I googled around, a lot of materials say to allow cors on chrome, I need to use the --disable-web-security option. Any server needs to implement the response header: Access-Control-Allow-Origin: *.

Does it mean even if a server has implemented cors, normal chrome user still won't be able to send cross origin request because the --disable-web-security is not enabled?

If that's the case, then what's the point for server to implement cors? normal user they won't know and turn on --disable-web-security option.

Aaron Shen
  • 8,124
  • 10
  • 44
  • 86
  • It is allowed on chrome. Refer this link http://stackoverflow.com/questions/20035101/no-access-control-allow-origin-header-is-present-on-the-requested-resource/28848096#28848096 – Ritt May 08 '15 at 06:51
  • I'm still unclear, do you mean --disable-web-security is not needed? – Aaron Shen May 08 '15 at 07:18

1 Answers1

0

After did some testing, I have got my answer.
Most of the online materials or blogs are not clear about this point, you can send cross origin request by:

  1. either has the server implement cors, i.e. the response header needs to have Access-Control-Allow-Origin: *
  2. or you --disable-web-security your chrome browser for convenience

So you only need to have one of above for cross origin request to work. It's NOT necessary to both ensure the server implemented cors and disable web security of your web browser.

Aaron Shen
  • 8,124
  • 10
  • 44
  • 86