0

This is a trivial question, I know, but I just can't figure it out properly.

I have a website http://a.com that references a script from http://b.com/script.js . Where should I put the access-control-allow-origin header - on a.com or on b.com?

zmbq
  • 38,013
  • 14
  • 101
  • 171

1 Answers1

1

Browsers follow the rule of "same origin".

It means a page loaded from a.com:80 can only access resources from a.com:80

If the browser wants to load a resource from b.com:443 in an html document provided by a.com:80 it must be explicitly allowed by a.com:80

To answer, the html document(s) returned by a.com:80 must include the following header

access-control-allow-origin=b.com:443

to allow the browser to load something from b.com:443

Mumrah81
  • 2,034
  • 2
  • 16
  • 23