Reputation: 644
Cross domain AJAX call and Access-Control-Allow-Origin
I understand that you are not allowed to make cross domain Ajax calls, but why is it that I can make a cross domain ajax call to facebook's (or twitter or others) oauth API?
Does this have to do with the following?
"Access-Control-Allow-Origin: *"
Is allowing all access like this bad practice? Is there a better way to allow only people who you authorize?
Thanks!
Upvotes: 2
Views: 1434
Answers (1)
Reputation: 655129
Access-Control-Allow-Origin response header field is part of Cross-Origin Resource Sharing which allows cross-origin requests with XHR under certain conditions that can be controlled by the server the request is sent to.
In this particular case, Access-Control-Allow-Origin: * means that the server allows requests from any origin. This basically means that the resource is publicly available and does not support credentials.
But as you wish to restrict the access to just authorized users, you cannot use *. Instead, you need to return the Origin header field value (see section 6.1). If the client does already have credentials but has not yet requested the resource, you will also need to support preflight requests that negotiate what information the client is allowed to send.
Upvotes: 2
Related Questions
- Ajax Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource
- Origin is not allowed by Access-Control-Allow-Origin
- jQuery ajax request being block because Cross-Origin
- Same origin Policy and CORS (Cross-origin resource sharing)
- Cross-domain XMLHttpRequest, Access-Control-Allow-Origin header and $_SERVER['HTTP_ORIGIN']
- Why Cross-Domain AJAX call is not allowed?
- Access-control-allow-origin not working with ajax in a POST request
- Disable cross-domain ajax request
- Same origin policy and .ajax crossDomain
- Ajax Cross domain request to non-controlled domain