Menu
I have been using POSTMAN for sometime now for sending HTTP requests like GET, POST, PUT for RESTful Webservices. Recently came across a situation, when sending a request to my REST API through browser, I got a message that
No Access Control Allow Origin Header is present on the Requested resource.
The solution was ofcourse to add such an header to the API. However strangely, When I sent the the same request through POSTMAN I was able to get back the response.
So I want to know how is sending a request through POSTMAN different from sending a request through browser.
I went through this question: CORS with POSTMAN, but it really doesn't provide an answer in detail.
699
The CORS standard is a client-side standard, implemented in the browser. So it is the browser which prevent the call from completing and generates the error message - not the server. Postman does not implement the CORS restrictions, which is why you don't see the same error when making the same call from Postman.
Install the Postman Desktop Agent for your OS on our download page. Note: The CORS error generally happens due to browser limitations regarding resources shared between different internet domains. Please refer to this blog post for more information about CORS and how the Postman Desktop Agent works.
Postman simply doesn't care about CORS headers. So CORS is just a browser concept and not a strong security mechanism.
In order to fix CORS, you need to make sure that the API is sending proper headers (Access-Control-Allow-*). That's why it's not something you can fix in the UI, and that's why it only causes an issue in the browser and not via curl: because it's the browser that checks and eventually blocks the calls.
Postman should not be doing a preflight request and CORS header check. Could you let us know your OS and exact Chrome version too? We'll look into this. In the meantime, you could try our native apps ( www.getpostman.com/apps) which do not use XHR.
How do I troubleshoot the error? Cross-Origin Resource Sharing (CORS) errors occur when a server doesn’t return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, reconfigure the API to meet the CORS standard.
Here’s what’s happening: before sending your requested API call, your browser does a ‘security check’ by asking the API, (via an OPTIONS call, who is allowed to do what. Simple as that. An ‘issue with CORS’ occurs when the API does not reply to such request with, ‘Yes, dear browser, you are allowed to do that call’.
I have been using POSTMAN for sometime now for sending HTTP requests like GET, POST, PUT for RESTful Webservices. Recently came across a situation, when sending a request to my REST API through browser, I got a message that No Access Control Allow Origin Header is present on the Requested resource.
From Cross-Origin XMLHttpRequest in Chrome Develop Extensions documentation:
Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.
Basically browser extensions have more privileges than web content. In the case of Chrome extensions, there is an option to enable cross-origin access.
158
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
