I've been CORSed to death for days while trying to use a browser to interact with a REST api (Cisco's CSR1000v REST API). The API's required basic authentication returns a token which is then used to do RESTful things - GETs, DELETEs, etc.
Cygwin64's cURL worked/works fine but I could not get a browser to do it (basic authentication) no matter what I tried. ...and tried, and tried, and tried. I finally installed a 'CORS Everywhere' Firefox plugin and poof, it worked!
My question is: If the server resource, NGINX in this case, does not have the 'Access-Control-Allow-Origin' set, does that make CORS literally impossible from (non hacked/plugin'ed) Web browsers? I don't have access to the NGINX to configure it, by the way.
I saw the fetch api but it appears that browsers are basically not supporting the no-cors mode at this time.
