A few questions about bypassing the same origin policy

A few questions about bypassing the same origin policy
0

#1

Hello FCC,

I was reading about the same origin policy and some common ways around it (JSONP, CORS headers, and using a proxy).

I had two questions that are troubling me a bit. First, about using a proxy. SiteA–>ProxyServer–>SiteB. This works because the actual request is sent from a server and not from the browser, correct?

With regards to the CORS headers is it true that the request header needs to contain the origin: http://siteA header and the server MUST respond with something like:

res.set({"Access-Control-Allow-Origin": "http://siteA"})
res.send(dataFromSiteB);

I guess what I am asking is that the actual server needs to be set up to field ajax requests from a certain origin right? When I completed the FCC leaderboard project I sent an ajax request to 'https://fcctop100.herokuapp.com/api/fccusers/top/recent'

is it safe to say that server side, this route would include something like:

res.set({"Access-Control-Allow-Origin": "*"})
in order to allow every user to hit this API and not violate the same origin policy? If this is the case are there any security issues involved?

Thanks everyone


#2

This depends on why it’s not working in the browser. Sometimes, the CORS proxy relays the request and obviates the access-control-allow-origin header. Other APIs are just not hosted securely, and the proxy acts like an SSL bridge.

Yup. It also requires Access-Control-Allow-Methods, I believe.

There are. Someone could set up a site that steals your user’s login information. This is what the same origin policy is meant to prevent, after all. This doesn’t expose your client app to any risk, though.


#3

Hi @PortableStick,

Thank you for your helpful response. Can you explain what you mean by the proxy obviating the access-control-allow-origin header? Not sure I follow what this means. I thought the proxy couldn’t set the response headers from the API server…

Thanks so much!


#4

A proxy server is just a server. There’s no magic in what it does. It can take data from any source (because servers don’t abide by the access-control headers), and send it to another. So, we don’t have to care which headers are sent from the source because the proxy server sets its own.


#5

Thanks, this helped a lot :slight_smile: