-1

I am developing API in Asp.Net Core 3.1. It's working as expected. I was getting CORS related errors when I was trying to send requests from ajax. but I was not getting any error when I am sending the GET request directly from browsers like Chrome, Edge, and even with the tools like Postman.

Error:

Access to XMLHttpRequest at 'http://server:8080/API/GetMethod?currency=INR' from origin 'http://localhost:63765' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Clientside code:

$.ajax({
   type: 'GET',
   crossDomain: true,
   dataType: 'json',
   url: 'myUrl',
   success: function(jsondata){
   }
})

so my question is why is it not giving the error in browsers and postman. why is it giving error from clientside code? do browsers ignore these errors? from my understanding, it should give the same error even from browsers and postman also.

Update: Though the link context is the same, but I am not satisfied with the answers provided. I have got a better specific answer to my existing question.

Vivek Nuna
  • 25,472
  • 25
  • 109
  • 197
  • What do you mean "sending the GET request directly from browsers"? Do you mean accessing the URL by typing it to the browser's address bar? – Guy Incognito Jul 16 '20 at 11:35
  • @GuyIncognito yes, – Vivek Nuna Jul 16 '20 at 11:36
  • 3
    Why would you get a cross-origin error when accessing something directly? Maybe start by studying what CORS actually is and what it's for. Start with [Why doesn’t Postman get a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error when my JavaScript code does?](https://stackoverflow.com/questions/20035101/why-doesn-t-postman-get-a-no-access-control-allow-origin-header-is-present-on) – Guy Incognito Jul 16 '20 at 11:39

1 Answers1

5

The definition of CORS is:

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.

An example of a cross-origin request: the front-end JavaScript code served from https://domain-a.com uses XMLHttpRequest to make a request for https://domain-b.com/data.json.

For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.

(Emphasis mine.)

So, in short, it's CORS when a script running in a browser in the context of one website sends a request to another website (a "cross-origin HTTP request initiated from a script").

If you are putting the URL into the address bar, it's not a script in the browser belonging to another website which is sending the request - it's you (or more exactly the browser on your behalf). So it's not CORS.

Similary, if you are using Postman, it's again not a script in the browser belonging to another website which is sending the request (in fact there isn't even any browser in the picture this time) - it's you (or more exactly Postman on your behalf). So it's not CORS.

It's the browser which enforces those rules for scripts running inside of it, not the server. If you are not a script or you don't use the browser at all, you operate outside of those "laws".

CherryDT
  • 25,571
  • 5
  • 49
  • 74