How do CORS response headers prevent browser javascript to access response object?
Question
So I am running two applications foo.com and bar.com using traditional cgi scripts on an apache server. I make an AJAX request from foo to bar. The request makes it to bar, executes but because the apache server does not add any CORS headers, the browser says the request failed.
The CORS documentation on MDN explains that the browser Javascript doesn't know the specifics of the failure, it just knows that the response failed.
My question is, does the response object contain the response returned by my cgi script and the browser just chose to show this as an error because it couldn't find the Access-Control-Allow-Origin header ?
From my inspection of the response object, it seems that the apache server did not send the response from the cgi script's output at all.
It is unclear, who is responsible for containing the response here:
Is it the apache server
Is it the fetch/XMLHTTP api
Note: I used jquery to make the AJAX calls
1 answers
solution1
1 2019-06-27 14:56:07
How do CORS response headers prevent browser javascript to access response object?
They don't. Your JS being unable to access the response data is the default behaviour. CORS headers can grant permission that would be denied by default.
The Same Origin Policy is implemented by the browser. The server doesn't know about it (except in so much as it might be explicitly configured to send CORS headers in the response).
The browser receives the HTTP response, determines that permission was not granted, and generates a response object saying as much which it provides to the JavaScript program.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.