0

I have access to my "domainA" including server configuration. Actually the server configuration allow CORS only on same origin. I did not understand how exactly works, I try to explain my dubts.

I request with my browser the domainA (Access-Control-Allow-Origin: same-origin) and when I request the page it will download domainA.js that contains an AJAX call (simple GET request) to a domainB (third party site). In the browser console the request is blocked due to CORS. I don't understand who is the exact responsible for the blocked request.

Scenario 1: I can edit my server configuration domainA to allow for example any origin (Access-Control-Allow-Origin: *), domainB for example (is not mine) is set to same origin. Can I make the AJAX call from domainA to domainB?

Scenario 2: domainA with same origin and domainB with any origin. Can I make the AJAX call from domainA to domainB?

I'm little bit confused about CORS. I try to read many guide but I did not find something exhaustive: If I understand the browser send an Origin header request to domainA and the domainA send to the browser a header response with a list of domains (domainB, domainC). In this case that list tells to the browser something like "ok you are allow" to make for example AJAX call to that list (domainB, domainC). In this case to make the AJAX call (GET) from domainA to domainB or domainC is sufficient this settings (Access-Control-Allow-Origin: [domainA, domainB]) or I need also that domainB or domainC allows the domainA in their header response when they will be contact by the AJAX request of the domainA?

lausent
  • 325
  • 4
  • 13
  • What exactly is your question? If you need to enable CORS just google 'How to enable CORS in [your server side technology here]' and I'm sure you'll get thousands of guides. – Rory McCrossan May 28 '19 at 08:26
  • So the blocked request is due to my server settings? If I set Access-Control-Allow-Origin to domainB on my server, then the borwser that visit domainA can make the AJAX call from domainA to domainB? – lausent May 28 '19 at 08:30
  • 1
    It's fairly straightforward in the abstract: to make a CORS request from a page at domainA to a server at domainB then the domainB server must set the necessary headers in its response to the request. At minimum this includes an access-control-allow-origin header. Same idea if a request goes from a page in domainA to a server in domainC. The domainC server must provide suitable headers in its response. – ADyson May 28 '19 at 08:35
  • 1
    You seem to be getting quite confused about multiple domains. Consider each interaction between different domains as separate. If you want a server to be accessible via CORS then it must set CORS headers in its responses. You can either allow access from all domains, or from a list that you, as the owner of the server, can specify – ADyson May 28 '19 at 08:37
  • 2
    I strongly suggest you read the answer to the duplicate question which goes through all the background step by step. Understanding the *why* makes it much easier to remember the *how*. – Quentin May 28 '19 at 08:45
  • So the third website (third website=domainB, not mine) have to contain in his header response my domainA. In this case domainB allow an AJAX call from domainA (my domain) to domainB. In this case the header response of my domainA is used by my browser or by domainB to check if the response of the AJAX call must be blocked? – lausent May 28 '19 at 08:54
  • 1
    It's the browser which actually does the checking, and decides whether to pass the server's response back to the page or not. The server just has to set the headers. If you don't control the server, and the server hasn't set the headers, then there's nothing you can do (apart from ask the controller of the server if they are prepared to allow CORS requests from your domain). Without the headers in the response, the browser will never allow the call to succeed – ADyson May 28 '19 at 08:59

0 Answers0