How to check a domain has enable CORS or not

Question

I tried to access this API click here for more info

POST https://api.line.me/v2/oauth/accessToken

but always get the error:

XMLHttpRequest cannot load https://api.line.me/v2/oauth/accessToken.
No 'Access-Control-Allow-Origin' header is present on the requested resource

Now I want to make sure that domain (and other, example: facebook, twitter, etc...) enable CORS, how I can do that?

Answer 1

A core part of the CORS protocol is the Origin request header that browsers send when handling cross-origin requests initiated from frontend JavaScript code. So if from a non-browser client/tool you want to emulate a browser-based request, you need to send the Origin header:

curl -i -H 'Origin: http://sample.com' \
  'https://access.line.me/dialog/oauth/weblogin?response_type=code&client_id=12345&redirect_uri=https%3A%2F%2Fsample.com%2Fauth&state=123abc'

To examine the response, you also need to tell the client/tool to show you the response headers. In the example above with curl, that’s what the -i option does.

And so finally, to determine whether the server sending the response has CORS enabled in the response, you need to look for the Access-Control-Allow-Origin response header there.

In the specific case of the https://access.line.me API, you’re never going to find the response header Access-Control-Allow-Origin in the response—which is unsurprising given the docs for its “Web Login flow” https://developers.line.me/web-api/integrating-web-login-v2#steps_web_login:

The LINE Login process for web applications (Web Login) is based on the OAuth 2.0 authorization code grant flow. Your application must be able to make requests server-side and receive data from the LINE Platform.

That is, the docs specifically mention a need to make requests from the “server-side”, and nowhere else in those docs is there any mention of support for requests made from frontend JavaScript code running a browser, nor any code examples of how to make a request using JavaScript.

In general, if a particular service/API is CORS-enabled and has docs on how to make requests to that service/API, those docs give examples/details of how to do that from frontend JavaScript.

In other words, if docs for a particular service/API don’t provide examples/details of how to make requests to it from frontend JavaScript running in a browser, it probably doesn’t support CORS.