0

This confuses me a lot. Let's say I have 2 tabs open in my browser, one on http://aaa.com and another on http://bbb.com.

Let's say I make a request 

$ajax({
    method : 'POST',
    url : 'http://aaa.com/SomeAction',
    ... 
});

from the JavaScript console of my browser. The way I understand cross-origin policy is that the server only allows that request to happen if the JS console I typed it into was the one in the tab for http://aaa.com. But how does the server know that? Does my browser send it a header that tells it where the request is coming from?

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
Subpar Web Dev
  • 3,210
  • 7
  • 21
  • 35
  • You can open `Network` tab, select url of `$.ajax()` request, click `Headers` tab, scroll to `Request Headers` to review request and response headers for the request. – guest271314 Apr 09 '16 at 01:08
  • The server doesn’t have to know about anything – the _client_ is the one that enforces this policy. (Unless we’re are talking about CORS here, then the server of course has to play its part as well.) – CBroe Apr 09 '16 at 01:09
  • @CBroe — Even with CORS, the server doesn't enforce the policy; it relaxes it. – Quentin Apr 11 '16 at 08:34
  • @Quentin I didn’t say the server enforces it, only that it plays a part in it. – CBroe Apr 11 '16 at 09:20

1 Answers1

0

is that the server only allows that request to happen if the JS console I typed it into was the one in the tab for http://aaa.com

Not true.

Nothing stops example.com from sending an AJAX request to example.org. The Same Origin Policy however will prevent example.com from reading the response returned.

The Same Origin Policy is enforced in the client-side browser, not on the server.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145