Menu
This subject has been asked a couple of time, but I still don't understand something:
When I read answers about
No 'Access-Control-Allow-Origin' header
issue, it says a setting should be set on the requested server in order to allow cross domain: add_header 'Access-Control-Allow-Origin' '*';.
But, please tell me why when asking from postman (which is a client), It's working like a charm and I have a response from the requested server?
Thank you
699
Postman does not implement the CORS restrictions, which is why you don't see the same error when making the same call from Postman.
Where it checks for Access-Control-Allow-Origin . Taking this into account Access-Control-Allow-Origin header just specifies which all CROSS ORIGINS are allowed, although by default browser will only allow the same origin. Postman: Sends direct GET , POST , PUT , DELETE etc.
You can use Postman to make an HTTP request with an Origin header. Your server can then send back an appropriate Access-Control-Allow-Origin header. However, Postman won't do anything with it except display it in the list of response headers.
CORS (Cross-Origin Resource Sharing) and SOP (Same-Origin Policy) are server-side configurations that clients decide to enforce or not.
Related to clients
CSRF attack.
156
As @Musa comments it, it seems that the reason is that:
Postman doesn't care about SOP, it's a dev tool not a browser
By the way here's a chrome extension in order to make it work on your browser (this one is for chrome, but you can find either for FF or Safari).
Check here if you want to learn more about Cross-Origin and why it's working for extensions.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
