I have probably an abstract question about Access-Control-Allow-Origin: *.
I know that this is set from BE to allow a list of web sites to access the API, in our case it allows all sites.
Question: Is obligatory to send the request from front end also setting Access-Control-Allow-Origin: * in headers or not?
Asked
Active
Viewed 17 times
0
Asking
- 3,487
- 11
- 51
- 106
-
From the duplicate: "Common mistakes that trigger this include: … trying to put Access-Control-Allow-Origin and other CORS response headers on the request. These don't belong on the request, don't do anything helpful (what would be the point of a permissions system where you could grant yourself permission?), and must appear only on the response." – Quentin Apr 07 '22 at 14:25
-
@Quentin, so this should be set only on back-end, am i right? – Asking Apr 07 '22 at 14:28
-
Yes, they are response only headers and used by browser to determine whether to continue with the request. Setting these on the request serves no purpose and, at best, will be ignored. – phuzi Apr 07 '22 at 14:34
-
@phuzi, And due the fact that this is set on BE it automatically will check the Front end to understand the origin and setting this on FE is redundant, correct? – Asking Apr 07 '22 at 14:36
-
Yes, setting this on FE is worthless, it won't (shouldn't) do anything. – phuzi Apr 07 '22 at 14:39
-
@phuzi — No. It will make the request preflighted and require that the server allows the client to set `Access-Control-Allow-Origin` using a `Access-Control-Allow-Headers` response header. That's highly undesirable but is something. – Quentin Apr 07 '22 at 15:02