Activation of CORS

In this lesson, we’ll discuss one final problem often encountered when working with an API.

When we first request an external site (via an AJAX request, for example), we will encounter an error of this kind:

“Failed to load https://example.com/ No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin “https://anfo.pl” is therefore not allowed access. If an opaque response serves your needs, set the request’s mode to “no-cors” to fetch the resource with CORS disabled.”

But what does “Access-Control-Allow-Origin” mean? This behavior is caused by the effect of the CORS implementation of browsers. Before the CORS standardization, there was no way to call an API terminal under another domain for security reasons. This has been (and still is to some extent) blocked by the same-origin policy.

CORS is a mechanism that aims to allow requests made on our behalf while at the same time blocking some requests made by dishonest scripts. It is triggered when we make an HTTP request to any of the following:

• A different field
• A different sub-domain
• A different port
• A different protocol