JavaScript Which server needs to return Access-Control-Allow-Origin header? server that needs staff,who needs server,server that needs

Let's say I have an HTML page, served up from example.com. It makes an javascript ajax request to targetServer.com

Which server needs to return a Access-Control-Allow-Origin="(something)"?

Is it the targetServer or the server that served up the original HTML page (i.e. example.com)?

[I know this probably is obvious, but the docs on the web seem to imply the targetServer has to send and allow-origin header of "example.com" But if this is a security feature, wouldn't a malicious targetServer.com always serve up a suitable allow-origin header? It sort of makes sense that example.com would give the browser a list of server it is allow to call in addition to example.com]

Answer:1

The target server needs to set the Access-Control-Allow-Origin header.

CORS is meant to protect a server from unexpected cross-origin requests. In a world before CORS existed, servers were protected from cross-origin requests by the browser's same-origin policy. If CORS were automatically allowed to all servers, this same-origin contract would break, and servers would being receiving unexpected requests. In order to prevent this, the CORS spec authors put the servers in charge of dictating what types of cross-origin requests are allowed.

Servers can do this not only with the Access-Control-Allow-Origin header, but also with the Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers and Access-Control-Expose-Headers headers. These various headers gives the server fine-grained control over configuring their CORS behavior.

So in your example, a malicious server could set those headers, but the headers wouldn't do anything on their own. A client would need to make a conscious decision in order to send a request to the malicious server. In effect, the client itself would need to be malicious.

Answer:2

Hi I have this URL (top) I'm trying to use with "pinterest" they change the url (bottom). Does anybody know how I can change my (top) url to be the same as the "pinterest" url. Is there a Jquery ...

Hi I have this URL (top) I'm trying to use with "pinterest" they change the url (bottom). Does anybody know how I can change my (top) url to be the same as the "pinterest" url. Is there a Jquery ...

I'm trying to get JSON response from server using restangular. var baseAccounts = Restangular.one('getAllCustomers'); baseAccounts.getList().then(function(customers) { $scope.myData = ...

I'm trying to get JSON response from server using restangular. var baseAccounts = Restangular.one('getAllCustomers'); baseAccounts.getList().then(function(customers) { $scope.myData = ...

Can someone explain the following code? inputWords is supposed to be an array containing various words and this function is supposed to return an array containing the number of times a word appears in ...

Can someone explain the following code? inputWords is supposed to be an array containing various words and this function is supposed to return an array containing the number of times a word appears in ...

  1. javascript reduce function example
  2. javascript reduce function explained
  3. javascript reduce function array of objects
  4. javascript reduce function on object
  5. javascript reduce function mdn
  6. javascript reduce function implementation
  7. javascript reduce function
  8. javascript reduce function parameters
  9. javascript reduce function array
  10. javascript reduce function syntax
  11. javascript reduce function callback
  12. javascript reduce function calls
  13. javascript reduce arrow function
  14. javascript array reduce function example
  15. javascript reduce async function
  16. javascript map reduce function
  17. javascript reduce anonymous function
  18. javascript es6 reduce function
  19. javascript return reduce function
  20. javascript reduce is not a function

I have a directory with a bunch of jade templates, and a grunt task that compiles all of them to individual html files. I'd like to have a watch task that recompiles a template when it changes, but ...

I have a directory with a bunch of jade templates, and a grunt task that compiles all of them to individual html files. I'd like to have a watch task that recompiles a template when it changes, but ...