0

I am doing Ajax call from cross domain.I would like to allow this call only to the specific domains. What is the best way to get remote origin from HttpServletRequest. Will request.getHeader("Origin") be available all the time? If remote domain matches I will set

origin = getFromRequest...
if (origin=="example.com"{
   response.addHeader("Access-Controll-Allow-Origin",origin);
  }
smile
  • 498
  • 7
  • 18
  • I found some explanation in here https://www.html5rocks.com/en/tutorials/cors/ – smile Mar 02 '18 at 16:14
  • See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin. Browsers always add the Origin header to cross-origin requests made with XHR or the Fetch API. But note that browsers also always send the Origin header for same-origin POST requests — and for same-origin requests made with any HTTP method other than GET or HEAD. – sideshowbarker Mar 03 '18 at 11:08
  • thank you @sideshowbarker for the link. Seems like it is clarifying any cross origin call will have origin header. – smile Mar 03 '18 at 17:58

1 Answers1

1

Here is what I found from the link https://www.w3.org/TR/cors/. I am seeing this as cross domain should have Origin header all the time enter image description here

Also found this link, it is very helpull, it is telling how IE 11 manage cors request Internet Explorer 11 does not add the Origin header on a CORS request?

smile
  • 498
  • 7
  • 18
  • See https://fetch.spec.whatwg.org/#cors-request. (And don’t use https://www.w3.org/TR/cors/ for anything; it’s years out of date and doesn’t match current browser behavior.) – sideshowbarker Mar 03 '18 at 11:03
  • Can somebody tell why answer is down voted? as stated in the answer most of browser do send "origin" and the link saying IE might send diferently. – smile Mar 13 '18 at 16:13