these are why the same-origin policy is important
company.com/page.html) or the address of the script (like
https://website.com/apple, is a request to
https://subdomain.website.coma same-origin request?
the domain and subdomain need to be exactly the same
http://website.com/apple, is a request to
http://website.com/bananaa same-origin request?
if the domain/subdomain, port, and protocol (
https) are the same, it's the same origin!
But, for example, making an arbitrary
GETrequest to an HTTP API isn't.
there are some forbidden headers you're never allowed to set, like
Host. But otherwise you can send any request you want.
api.yourstore.comfrom the origin
Access-Control-Allow-Origin: yourstore.comheader on the HTTP response!
It's usually better to allow a allowlist of specific origins and not
api.yourstore.comfrom a different origin?
OPTIONSrequest with the right headers!
If you're making a cross-origin POST request with some JSON, the
browser won't even send the request by default. Instead, it'll send a
OPTIONS request and check the response headers.
if this were possible, it would let any attacker get around the same-origin policy just by setting a request header in their request. The server needs to be the one to allow the request.