Reputation: 123
Is it possible to set "access-control-allow-origin" to "none"?
It might be a stupid question showing that I do not understand CORS, but I will ask it anyway not having found anything about this. I read literally hundreds of question about setting "access-control-allow-origin" to "*", but I would like quite the opposite.
If I want to prevent a site to be "called" or "inserted" ( not sure about the right term) from/in another website, can I set "access-control-allow-origin" to "none" ? The MDN documentation tells about setting it to "null" (not a good idea) ... Maybe just removing "access-control-allow-origin" will do what I want but this is generating an error, so I was wondering if this could be avoided.
Upvotes: 1
Views: 1689
Answers (1)
Reputation: 66244
No; whereas the wildcard (*) allows any origin (without credentials), there is no special Access-Control-Allow-Origin value for disallowing all origins. Moreover, as you already noted, null doesn't mean what you want and should never be allowed (because it's quite insecure).
To indicate that the supplied origin isn't allowed, simply do not include the Access-Control-Allow-Origin header at all in the response.
Upvotes: 3
Related Questions
- how to bypass Access-Control-Allow-Origin?
- Must the Access-Control-Allow-Origin header include scheme?
- CORS: How to set 'Access-Control-Allowed-Origin' request header
- Is CORS request without Origin allowed?
- No 'Access-Control-Allow-Origin' client side fix
- Angularjs Access-Control-Allow-Origin
- Js cors. No 'Access-Control-Allow-Origin'
- blocking CORs from origin
- No 'Access-Control-Allow-Origin' but still processing
- Access-Control-Allow-Origin: * is set but I still get Origin not allowed