CORS: Do I need it here?

Question

I have a set of too many Domains, whose common files like javascript files I have at a central server.

Now I have this setup:

On a click on a page item on domain A a script is executed on the central server, which calls a webservice on domain A.

So I guess if my script would be on domain A everything would work fine ( except I would have to have about 60 copies of my script on my 60 domains). But I expect my webservice is never called because I have a CORS problem here.

so:

"A" loads script from "Central" executes it and a webservice on "A" is called by the script placed in "Central".

Is this a case where CORS is needed? Or might my error be somewhere else ( or both.... but that is my problem then)

Answer 1

The question really is where is the HTTP request going to that loads the page, any resource loaded from various servers like .js, .css or images is fine (it doesn't matter). The only issue is when you call an action (e.g. AJAX call or any XHR) to a server that isn't the exact same as the source. Then you would need to use CORS or JSONP.

Answer 2

You only need CORS (or another means to circumvent the Same Origin Policy) if JavaScript which is client side and in a webpage needs to make an HTTP request to an HTTP server with a different origin (scheme, hostname and/or port). (Exception: If it is a simple request and you do not need the response data to be available to the JS).

The biggest clue that you need CORS is if the JavaScript error console complains about Origin foo is not allowed by Access-Control-Allow-Origin.

Your description isn't very clear, but it sounds like you are making a request from client side code hosted on one origin but loaded into a page hosted on another but which makes an HTTP request to the origin of the page. This is fine. The origin is determined by the URL of HTML document the script is loaded into, not the URL the script is loaded from.