[theincredulousk]

not a web person - why does the original approach not have the CORS problem? Isn't it still generating the request from the same local machine?

[kenny_r]

CORS is enforced by the client, the web browser.

  +----------------------+                               +-----------------------+
  |     User Browser     |                               |     WordPress Site    |
  | (viewing from        |          CORS Error           |     (blog.com)        |
  |  example.com)        |     Browser enforces CORS     |                       |
  |    +------------+    |        Direct request         |    +------------+     |
  |    | Frontend   |<-----------------------------------X    | xmlrpc.php |     |
  |    | App        |    |     example.com → blog.com    |    |            |     |
  |    +------------+    |                               |    +------------+     |
  +----------------------+                               +-----------------------+
       Browser security blocks cross-origin
       requests (CORS is browser-only!)

The bottle app presumably uses some python library like Requests. It wouldn't care about CORS.

  +----------------------+     +------------------------+     +-----------------------+
  |     User Browser     |     |    App Server          |     |     WordPress Site    |
  | (viewing from        |     |    (example.com)       |     |     (blog.com)        |
  |  example.com)        |     |                        |     |                       |
  |    +------------+    |     |    +------------+      |     |    +------------+     |
  |    | Frontend   |<-------->|    | Backend    |<---------->|    | xmlrpc.php |     |
  |    | App        |    |     |    | (Bottle)   |      |     |    |            |     |
  |    +------------+    |     |    +------------+      |     |    +------------+     |
  +----------------------+     +------------------------+     +-----------------------+
           Same origin         Uses requests library           Different origin
       Browser allows this       No CORS checks here!         (Server doesn't care
                               (Not a browser!)                  about origin)

[theincredulousk]

makes sense, thank you. How'd you generate the diagrams so quickly?

[kenny_r]

My pleasure. Claude 3.5 Sonnet made the diagrams after 3 rounds of prompting.

LLM's are surprisingly good at making diagrams in monospaced ascii or MermaidJS.

[mths]

Also not a web person, but my guess is that the bottle app makes the requests from the "server" end, so even though you're accessing the app in your browser, the browser is only communicating with the local app server and thus isn't in the way to enforce CORS.

[theincredulousk]

you're right mostly, person above even created a nice diagram

[mths]

Can't compete with that!