Sat, 19 Sep 2020 08:23:56 GMT
Join the conversation at slack.cordova.io
Fri, 18 Sep 2020 15:51:13 GMT
@jberman says
Hey guys, I’m in the process of implementing CORS on our server. I noticed that when I hard-coded the Access-Control-Allow-Origin header to any random value (like
<http://apple.com>), then Chrome, Safari, and Firefox could still access the page — and I can’t figure out why. Is the origin that the page is served from implicitly allowed, on top of the one specified in the Access-Control-Allow-Origin header? I mean, even Postman was able to successfully do XHR requests, and it shouldn’t even have an origin since it never retrieves an html file from the server.