From my understanding, Access-Control-Allow-Origin header is set by server to tell which domain is allowed to access the whatever resource current request is asking. And to comply with this rule or not, it is up to the client-side to decide. Is this correct?
In other word, there is nothing on the server-side to reject a request from other domains, and clients like browser is only obeying it out of courtesy?
Aucun commentaire:
Enregistrer un commentaire