1

I've been reading about CORS and I built a simple Rails API. I am trying to build an Angular client to consume it and I know how to allow this by adding allow-access-headers to the server. But currently, why can chrome consume this api? If I go to the API endpoint using chrome by typing in the address in my URL bar, I can see the JSON data. Why is this even though I haven't done anything to the server to allow CORS.

Jwan622
  • 11,015
  • 21
  • 88
  • 181
  • What do you mean by “if I go to the API endpoint”? Are you calling the URL directly in your browser, by typing it into the address bar? Then of course none of the restrictions CORS lifts are applicable in the first place. – CBroe Jul 12 '15 at 11:48
  • I was going to type an answer, but the duplicate really had a complete explanation. – bmargulies Jul 12 '15 at 11:52
  • How can I look up duplicates in the future more easily? – Jwan622 Jul 12 '15 at 11:56
  • @bmargulies I still don't get why my browser can make a request using the url address bar but not an AJAX request. – Jwan622 Jul 12 '15 at 12:12
  • @Jwan622: Again, the same-origin policy applies to Ajax requests specifically, but not the browser in general. If you type the URL into the address bar, then *you* are making the request, not a page. – Felix Kling Jul 12 '15 at 12:21
  • @FelixKling"then you are making the request, not a page"? So when my browser makes a request, it's cool? But when it requests a page it is not? What is a page here? – Jwan622 Jul 12 '15 at 15:51

1 Answers1

3

Why is this even though I haven't done anything to the server to allow CORS.

Only Ajax requests are subject to the same-origin policy and affected by CORS. "Normal" HTTP requests, such as performed by the browser when you type the URL into the address bar, are not.

Felix Kling
  • 795,719
  • 175
  • 1,089
  • 1,143
  • Ah I totally missed this. – Jwan622 Jul 12 '15 at 11:51
  • But from the MDN site: "Cross-site HTTP requests are HTTP requests for resources from a different domain than the domain of the resource making the request. For instance, a resource loaded from Domain A (http://domaina.example) such as an HTML web page, makes a request for a resource on Domain B (http://domainb.foo), such as an image, using the img element (http://domainb.foo/image.jpg). This occurs very commonly on the web today — pages load a number of resources in a cross-site manner, including CSS stylesheets, images and scripts, and other resources." – Jwan622 Jul 12 '15 at 11:56
  • I guess it's not only Ajax requests then... – Felix Kling Jul 12 '15 at 11:57