Menu
Suppose I have an app at www.example.com (a)
If my resource is at www.someotherdomain.com (b) and I make an AJAX call from (a) to (b) then CORS rules would apply.
However if my resource is located at api.example.com (c) then one would expect to avoid CORS when making an AJAX request from (a) to (c) - however, I have found this not to be the case.
CORS rules still apply when making requests across subdomains - is this true?
Is there away around this rule (without using JSONP)?
I cant imagine that all requests made between www.amazon.com and resource.amazon.com, for instance, are always CORS requests. Managing the headers and preflight request/response seems tedious & costly at scale.
Anything Im missing here?
776
Yes you have to enable it. You have to send CORS allow headers from server side to your browser. This is because a subdomain counts as a different origin.
CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
CORS is not allowing subdomains, so you need to specify them in your server configuration.
CORS is for a single set of protocol:domain:port, or null, or *. See https://www.w3.org/TR/cors/#access-control-allow-origin-response-header.
So the answer to your question is, Yes, CORS rules will still apply to your subdomains.
132
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
