I guess what I am asking is that the actual server needs to be set up to field ajax requests from a certain origin right? When I completed the FCC leaderboard project I sent an ajax request to 'https://fcctop100.herokuapp.com/api/fccusers/top/recent'
is it safe to say that server side, this route would include something like:
in order to allow every user to hit this API and not violate the same origin policy? If this is the case are there any security issues involved?
This depends on why it’s not working in the browser. Sometimes, the CORS proxy relays the request and obviates the access-control-allow-origin header. Other APIs are just not hosted securely, and the proxy acts like an SSL bridge.
Yup. It also requires Access-Control-Allow-Methods, I believe.
There are. Someone could set up a site that steals your user’s login information. This is what the same origin policy is meant to prevent, after all. This doesn’t expose your client app to any risk, though.
Thank you for your helpful response. Can you explain what you mean by the proxy obviating the access-control-allow-origin header? Not sure I follow what this means. I thought the proxy couldn’t set the response headers from the API server…
A proxy server is just a server. There’s no magic in what it does. It can take data from any source (because servers don’t abide by the access-control headers), and send it to another. So, we don’t have to care which headers are sent from the source because the proxy server sets its own.