Reputation: 1465
CORS allowed when no response header Access-Control-Allow-Origin
I'm able to send post/put/delete to my localhost even though the response headers doesn't include "Access-Control-Allow-Origin" , I'm using chrome so my question:
1- will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?
2- why the request worked on my local host , the browser sent the following headers in request :
Origin: http://localhost:8080
or the browsers ignore the response header "Access-Control-Allow-Origin" when it's the same origin ?
Upvotes: 0
Views: 595
Answers (1)
Reputation: 944216
will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?
A POST request, all else being equal, will be allowed, but the Same Origin Policy will prevent JS from reading the response.
PUT and DELETE requests require a Preflight request to receive permission from CORS first, so the requests will be blocked.
why the request worked on my local host
The Same Origin Policy doesn't block access when the request is from the same origin.
Upvotes: 1
Related Questions
- CORS – Cross Origin Request Blocked – The 'Access-Control-Allow-Origin' header contains invalid value
- Cross-domain requests stopped working due to no `Access-Control-Allow-Origin` header present in the response
- CORS error despite Access-Control-Allow-Origin header in preflight response
- CORS: No 'Access-Control-Allow-Origin' header is present even though response is 200?
- Javascript CORS - No 'Access-Control-Allow-Origin' header is present
- Server return CORS headers, browser still throwing Cross-Origin Request Blocked error
- Chrome saying No 'Access-Control-Allow-Origin' header, but the header is there
- CORS Access-Control-Allow-Origin despite correct headers
- Access-Control-Request-Header: - x-requested-with
- CORS request fails in Chrome only if has headers