Cors Allowed-Origin Restrictions Aren't Causing the Server to Reject Requests

  • Home
  • Languages
  • Java
  • Cors Allowed-Origin Restrictions Aren't Causing the Server to Reject Requests

CORS allowed-origin restrictions aren’t causing the server to reject requests

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

CORS allowed-origins settings don’t cause servers to block requests.

And because the server isn’t blocking the request, that doesn’t prevent you from opening the URL directly in a browser.

The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to frontend JavaScript in web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…) or whatever to make cross-origin requests.

So CORS isn’t a way to cause servers to block requests. And so it also isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent any non-web-application tools like curl or Postman or whatever from accessing the URL.

Django CORS ORIGIN WHITELIST and ALLOWED_HOST not filtering anything

You can't use Postman or curl (on any other direct HTTP requesting method) to test CORS. CORS is meant to tell web browsers (and only web browsers) which resources they should allow access to from within a web page.

The idea is to prevent someone with malicious-site.com that entices users to visit that site to fetch resources from your server (e.g. an iframe) so that the user thinks they're on your site when they actually aren't.

So you can only test it by running a script that fetches data from your API in webpage on a different domain (from within a browser). Test your CORS headers like this: Embed a script calling your API on another website (e.g. give your localhost another name on your machine and open it there). Then try running the script. You'll see your script fetching the OPTIONS from your site and then an error in your browser.

CORS is not meant for your website to prevent access entirely. Any machine using curl (or postman) will still be able to access your API.


Related Topics

How Does Java Store Strings and How Does Substring Work Internally

Generate Uml Class Diagram from Java Project

How to Parse a JSON String to an Array Using Jackson

Comparing Strings by Their Alphabetical Order

Why Is Java.Util.Observable Not an Abstract Class

Java Int to String - Integer.Tostring(I) VS New Integer(I).Tostring()

How to Launch Ie Browser Using Selenium2 (Webdriver) with Java

Converting a Jfreechart Timeseries Series with Day Data to Week or Month Data

Why Does My Spring Boot App Always Shutdown Immediately After Starting

What Does This Thread Join Code Mean

Hash String via Sha-256 in Java

Get First Date of Current Month in Java

Alternatives to Java.Lang.Reflect.Proxy for Creating Proxies of Abstract Classes (Rather Than Interfaces)

What Does Maven Do, in Theory and in Practice? When Is It Worth to Use It

Eclipse Optimize Imports to Include Static Imports

Correct Use of Flush() in JPA/Hibernate

Can Anyone Recommend a Simple Java Web-App Framework

How to Match "Any Character" in Regular Expression


Leave a reply



Submit