these are why the same-origin policy is important
or the address of the script (like
https://website.com/apple, is a request to
https://subdomain.website.com a same-origin request?
the domain and subdomain need to be exactly the same
http://website.com/apple, is a request to
http://website.com/banana a same-origin request?
if the domain/subdomain, port, and protocol (
https) are the same, it's the same origin!
But, for example, making an arbitrary
GET request to an
HTTP API isn't.
there are some forbidden headers you're never allowed to set, like
Host. But otherwise you can send any request you want.
api.yourstore.com from the origin
Access-Control-Allow-Origin: yourstore.com header on the HTTP response!
It's usually better to allow a allowlist of specific origins and not
api.yourstore.com from a different origin?
OPTIONS request with the right headers!
If you're making a cross-origin POST request with some JSON, the
browser won't even send the request by default. Instead, it'll send a
OPTIONS request and check the response headers.
if this were possible, it would let any attacker get around the same-origin policy just by setting a request header in their request. The server needs to be the one to allow the request.