CORS allowed when no response header Access-Control-Allow-Origin









up vote
-1
down vote

favorite












I'm able to send post/put/delete to my localhost even though the response headers doesn't include "Access-Control-Allow-Origin" , I'm using chrome so my question:



1- will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?



2- why the request worked on my local host , the browser sent the following headers in request :



Origin: http://localhost:8080



or the browsers ignore the response header "Access-Control-Allow-Origin" when it's the same origin ?










share|improve this question

























    up vote
    -1
    down vote

    favorite












    I'm able to send post/put/delete to my localhost even though the response headers doesn't include "Access-Control-Allow-Origin" , I'm using chrome so my question:



    1- will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?



    2- why the request worked on my local host , the browser sent the following headers in request :



    Origin: http://localhost:8080



    or the browsers ignore the response header "Access-Control-Allow-Origin" when it's the same origin ?










    share|improve this question























      up vote
      -1
      down vote

      favorite









      up vote
      -1
      down vote

      favorite











      I'm able to send post/put/delete to my localhost even though the response headers doesn't include "Access-Control-Allow-Origin" , I'm using chrome so my question:



      1- will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?



      2- why the request worked on my local host , the browser sent the following headers in request :



      Origin: http://localhost:8080



      or the browsers ignore the response header "Access-Control-Allow-Origin" when it's the same origin ?










      share|improve this question













      I'm able to send post/put/delete to my localhost even though the response headers doesn't include "Access-Control-Allow-Origin" , I'm using chrome so my question:



      1- will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?



      2- why the request worked on my local host , the browser sent the following headers in request :



      Origin: http://localhost:8080



      or the browsers ignore the response header "Access-Control-Allow-Origin" when it's the same origin ?







      javascript google-chrome cors cross-domain






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked yesterday









      Mohammad Karmi

      3071417




      3071417






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted











          will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?




          A POST request, all else being equal, will be allowed, but the Same Origin Policy will prevent JS from reading the response.



          PUT and DELETE requests require a Preflight request to receive permission from CORS first, so the requests will be blocked.




          why the request worked on my local host




          The Same Origin Policy doesn't block access when the request is from the same origin.






          share|improve this answer




















          • so the "Access-Control-Allow-Origin" is never needed on same origin even if Origin header is sent by the browser right ?
            – Mohammad Karmi
            yesterday











          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53224470%2fcors-allowed-when-no-response-header-access-control-allow-origin%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted











          will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?




          A POST request, all else being equal, will be allowed, but the Same Origin Policy will prevent JS from reading the response.



          PUT and DELETE requests require a Preflight request to receive permission from CORS first, so the requests will be blocked.




          why the request worked on my local host




          The Same Origin Policy doesn't block access when the request is from the same origin.






          share|improve this answer




















          • so the "Access-Control-Allow-Origin" is never needed on same origin even if Origin header is sent by the browser right ?
            – Mohammad Karmi
            yesterday















          up vote
          1
          down vote



          accepted











          will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?




          A POST request, all else being equal, will be allowed, but the Same Origin Policy will prevent JS from reading the response.



          PUT and DELETE requests require a Preflight request to receive permission from CORS first, so the requests will be blocked.




          why the request worked on my local host




          The Same Origin Policy doesn't block access when the request is from the same origin.






          share|improve this answer




















          • so the "Access-Control-Allow-Origin" is never needed on same origin even if Origin header is sent by the browser right ?
            – Mohammad Karmi
            yesterday













          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted







          will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?




          A POST request, all else being equal, will be allowed, but the Same Origin Policy will prevent JS from reading the response.



          PUT and DELETE requests require a Preflight request to receive permission from CORS first, so the requests will be blocked.




          why the request worked on my local host




          The Same Origin Policy doesn't block access when the request is from the same origin.






          share|improve this answer













          will requests from different site allowed if no "Access-Control-Allow-Origin" returned ?




          A POST request, all else being equal, will be allowed, but the Same Origin Policy will prevent JS from reading the response.



          PUT and DELETE requests require a Preflight request to receive permission from CORS first, so the requests will be blocked.




          why the request worked on my local host




          The Same Origin Policy doesn't block access when the request is from the same origin.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          Quentin

          630k718491018




          630k718491018











          • so the "Access-Control-Allow-Origin" is never needed on same origin even if Origin header is sent by the browser right ?
            – Mohammad Karmi
            yesterday

















          • so the "Access-Control-Allow-Origin" is never needed on same origin even if Origin header is sent by the browser right ?
            – Mohammad Karmi
            yesterday
















          so the "Access-Control-Allow-Origin" is never needed on same origin even if Origin header is sent by the browser right ?
          – Mohammad Karmi
          yesterday





          so the "Access-Control-Allow-Origin" is never needed on same origin even if Origin header is sent by the browser right ?
          – Mohammad Karmi
          yesterday


















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53224470%2fcors-allowed-when-no-response-header-access-control-allow-origin%23new-answer', 'question_page');

          );

          Post as a guest














































































          Popular posts from this blog

          Use pre created SQLite database for Android project in kotlin

          Darth Vader #20

          Ondo