|
|
|
|
|
|
by hyper_reality
1898 days ago
|
|
|
Great and clear guide to this thorny topic. However, even this article gets a little confused in its wording at one point: > In such cases, we want our API to set the Access-Control-Allow-Origin header to our website’s URL. That will make sure browsers never send requests to our API from other pages. > If users or other websites try to cram data in our analytics API, the Access-Control-Allow-Origin headers set on the resources of our API won’t let the request to go through. The ACAO header only performs a controlled relaxation of cross-origin restrictions. It is the browser that is ensuring that by default other pages can't send requests to the API.
Just a nitpick as I feel the rest of the article illustrates this well. |
|
|