A few questions about bypassing the same origin policy

A few questions about bypassing the same origin policy


Hello FCC,

I was reading about the same origin policy and some common ways around it (JSONP, CORS headers, and using a proxy).

I had two questions that are troubling me a bit. First, about using a proxy. SiteA–>ProxyServer–>SiteB. This works because the actual request is sent from a server and not from the browser, correct?

With regards to the CORS headers is it true that the request header needs to contain the origin: http://siteA header and the server MUST respond with something like:

res.set({"Access-Control-Allow-Origin": "http://siteA"})

I guess what I am asking is that the actual server needs to be set up to field ajax requests from a certain origin right? When I completed the FCC leaderboard project I sent an ajax request to 'https://fcctop100.herokuapp.com/api/fccusers/top/recent'

is it safe to say that server side, this route would include something like:

res.set({"Access-Control-Allow-Origin": "*"})
in order to allow every user to hit this API and not violate the same origin policy? If this is the case are there any security issues involved?

Thanks everyone


This depends on why it’s not working in the browser. Sometimes, the CORS proxy relays the request and obviates the access-control-allow-origin header. Other APIs are just not hosted securely, and the proxy acts like an SSL bridge.

Yup. It also requires Access-Control-Allow-Methods, I believe.

There are. Someone could set up a site that steals your user’s login information. This is what the same origin policy is meant to prevent, after all. This doesn’t expose your client app to any risk, though.


Hi @PortableStick,

Thank you for your helpful response. Can you explain what you mean by the proxy obviating the access-control-allow-origin header? Not sure I follow what this means. I thought the proxy couldn’t set the response headers from the API server…

Thanks so much!


A proxy server is just a server. There’s no magic in what it does. It can take data from any source (because servers don’t abide by the access-control headers), and send it to another. So, we don’t have to care which headers are sent from the source because the proxy server sets its own.


Thanks, this helped a lot :slight_smile: