1

Trying to understand CORS and I don't understand how leaving out the header access-control-allow-origin * is different from just omitting it in the first place.

I do not intend on using the * but please explain how that wildcard processes a request differently from a header completely with the access control allow origin?

Matt
  • 1,245
  • 2
  • 17
  • 32
Tim
  • 1,013
  • 3
  • 17
  • 36

1 Answers1

3

Access-Control-Allow-Origin: * the value * tells browsers to allow requesting code from any origin to access the resource.

If this header is not set, the only origin allowed to access the resource would have to be on the same domain.

More info about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

eselskas
  • 808
  • 8
  • 17
  • 1
    thanks. So the default behavior (if the header doesn't exit) is the most restrictive. That is exactly what I want to happen. – Tim Apr 19 '19 at 12:05
  • maybe a new question, but then how is specifying localhost different from omitting? (I did read the link) – Tim Apr 19 '19 at 13:53