2

I want a simple javascript script that exists on my localhost to make a connection to another domain(eg: anotherdomain.com) with ajax and get the response , but all my browsers tell me that error of (connection blocked , Reason: CORS header 'Access-Control-Allow-Origin' missing)

but when I check the network traffic with network monitor program like (fiddler), I see that the response already came from the server at (anotherdomain.com) to my local machine , it is just my browser who is blocking me from getting it !!

1- can I order my browser to ignore the CORS rules using javascript code?

2- what is my options to overcome this problem? is building a custom client disktop application with c# to send and receive requests freely is the best way to do it?

3- is CORS policy designed to protect the web clients or the web servers ?

thank you, and please consider that I'm complete newbie in web

the accountant
  • 476
  • 5
  • 14
  • 1
    If you're running chrome you can use the [--disable-web-security](http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome) flag – Musa May 02 '16 at 01:59

1 Answers1

1

but when I check the network traffic with network monitor program like (fiddler), I see that the response already came from the server at (anotherdomain.com) to my local machine , it is just my browser who is blocking me from getting it !!

Well for sure, the connection was estabilished to check the presence of the header you mentioned, but data was unlikely to be transferred.

Regarding your questions,

  1. There are 2 options actually. One is to set the Access-Control-Allow-Origin header with proper origin according to yours. The second is to make a JSONP call, though the response of server must support such a solution.

  2. The best option is to have a server with the above header specified. Your server would handle all the network stuff on its side and your script would just get/send some responses/requests.

  3. I would say it designed more to protect the server. Imagine the following situations. Your script on your site makes a lot of POST requests to the another site. Actions like submitting forms etc. could happen and would be allowed. That's harmful, right? You can read about that in this stack question.

Jakub Rożek
  • 1,980
  • 8
  • 12
  • unfortunately the browsers do not allow me to edit some request headers like "origin" and of curse I can't control the response headers....... in your number 2 answer you said i can have a server that handles the network stuff !! can i make php for example make http requests to ANY OTHER domain ??? – the accountant May 01 '16 at 15:33
  • 1
    unfortunately the browsers do not allow me to edit some request headers like "origin" - it's the server that servers the CORS headers, browsers just check whether they are allowed or not. Answering your question, yes, on the server side you should be able to make requests. You could add that header aswell, so your script on your side can communicate with the server. – Jakub Rożek May 01 '16 at 16:11
  • thank you very much for declaring that php can make requests to any domain , that will help me a lot :)... and for the cros policy i thought that it starts from the client who tells the server he needs to know the cross origin permissions and later the server response with the headers as it says here https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS – the accountant May 01 '16 at 16:18
  • The article you mentioned is great (like most from MDN) and you should base your knowledge on it. In short, it works like this: browser makes request, server responses with headers, if it's allowed the connection is made. Read more about in [this](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests) section. – Jakub Rożek May 01 '16 at 16:46