1

So I have an API deployed on a cloud service. For testing purposes I use various HTTP clients like Postman, Paw and RestClient to send request to my API and they all work just fine. But when I send an AJAX request from Browser either with jQuery, reqwset or any other, I get the following error:

XMLHttpRequest cannot load {https://url/to/my/api/on/google-app-engine}. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8000' is therefore not allowed access

So Why does an HTTP client work but browser throws an error? Is there any risk if I enable CORS on the server?

Improve this question

1 Answer 1

Reset to default
3

This is because of the “same origin” policy of web browsers. This prevents a script on one website to make requests on another website on your behalf.

Enabling CORS is safe as long as you trust the allowed client, which is probably not the case if the client is at localhost (since you have no control on localhost in general).

Special case: if there's no way for a client to perform changes on the server's domain, then it's safe to enable CORS in general.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

So when I send a request via Postman, am I sending it from the same-origin? No. It's on my local computer. Unless there is a difference between browser and non-broswer clients that I don't know.
I'm not familiar with Postman, but most clients do not automatically send identification cookies on your behalf; web browsers do. So there's no risk with “dumb” clients, but there's a major security risk with web browsers, hence the same-origin policy for them.
Thanks for the update but AFAIK, CORS must be enabled on the server. Correct me if I'm wrong.
Yes, exactly. But it has to specify which origins are allowed, that is, from where the requests are allowed to be made. If the server is not read only, it's critical that you only allow origins you trust. If the server is read only and there's no credentials of any kind, then there's no particular security concern there.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.