[mabufo]

CORS allows you to whitelist what domains you accept certain requests from. This is a good thing.

One thing I never understood really is why a webpage is able to load scripts from a different domain. That will I suppose remain a mystery to me forever. Imagine how many fewer ads and junk we might see.

[dlhavema]

this is a cool feature but the actual whitelist has to be held internally, in responding to an OPTIONS request, you can respond with * or concrete domain name. you can't return something like "www.example.com, www.foo.com" .

if you want to whitelist multiple domains you have to resolve this server side and check the requesting domain against your list of accepted domains.

this took me a little while to figure out.

[mabufo]

Right - it is a good safety feature. Also worth noting that responding with a wildcard will not allow you to set cookies in the browser when using `withCredentials` in the client and `access-control-allow-credentials` on the server. You've got to return a specific origin (one that is a match in your whitelist)