By Joey Hipolito

2013-04-15 17:42:16 8 Comments

I have found this very useful Chrome extension called Postman. This is a very useful extension especially when you are into programming RESTful applications.

One thing I am confused on is that how this plugin/extension able to send POST request successfully on different domains?

I tried voting in a poll using Postman like this.

Voting using Postman

After submitting that, the vote was actually counted in, but when I tried doing that using AJAX and JavaScript, it fails, because of different origin policy of browsers.

How is that even possible?

Here is my code using jQuery. I used that in my computer though, localhost.

init: function() {
        url: '',
        dataType: 'html',
        data: {
            id: '1'
        success: function(data) {
        if ( data == 'voted' ) {
            $('.set-result').html( 'you already voted. try again after 24 hours' );
        } else {
            $('.set-result').html( 'successfully voted' );


@chebaby 2017-10-26 13:32:15

You can add the following header to sent Ajax request in postman.

Content-Type      application/json

X-Requested-With  XMLHttpRequest


enter image description here

Credit to Orion

@Iain Collins 2014-06-06 00:41:34

Sounds like the site that hosts the poll (the "vote.php" script) needs to have an "Access-Control-Allow-Origin" header set to allow posting from a list of sites (or all sites).

A value of * for the header will allow posting from any website:

Access-Control-Allow-Origin: *

i.e. You could put the following at the top of vote.php

header('Access-Control-Allow-Origin: *');

Chrome extensions and apps are not subject to the same security limitations placed on normal webpages.

Additional debugging tips:

If you're trying to access remote services from web pages you have open on your local file system in your browser, you might find your browser applies different security rules to them than it does to files served from a web service.

e.g. If you open local files from a locational like C:\MyDocuments\weboot\index.htm (Windows) or \Users\joe\Sites\index.html (Mac) in your browser your AJAX request might not work, even with the header specified in most browsers.

Apple's Safari applies almost no cross domain restrictions to files opened locally but Firefox is much more strict about what it permits, with Chrome somewhere in the middle. Running a web server locally (e.g. on http://localhost/) is a good idea to avoid unexpected behaviour.

Additionally, other libraries that provide functions to handle Ajax requests (such as AngularJS) may require other headers to be set on the server by default. You can usually see the reason for failure in a browser debug console.

@Mohsen 2013-04-15 17:48:47

Chrome packaged apps can have cross domain permissions. When you install Postman it promts you that this app will access any domain.

By placing */* in permissions section of your manifest file, you can do this.

Read more here:

@CodyBugstein 2014-12-08 20:22:30

How can that be? Doesn't the website itself have to also allow CORS?

@Mohsen 2014-12-09 06:05:21

@Imray There is no need for CORS headers, just like a server program or curl.

@CodyBugstein 2014-12-09 11:46:29

So basically, a Chrome app is not subject to Cross Origin security? So a Chrome app can access my bank cookies, or my Facebook login?

@Mohsen 2014-12-10 04:26:09

@Imray Chrome apps can bypass Cross Origin. Chrome will not share your regular browsing sessions with this permission. But if you install a Chrome extension that can execute content script sure they can access your bank cookies!

@CodyBugstein 2014-12-10 09:17:38

dang that's a big uneasing

@Pacerier 2014-12-11 08:48:24

@Imray, Obviously if you click "Allow This" and "Allow That" the app can do anything it wants among the privileges that you've allowed it to.

@nr5 2019-10-03 07:46:00

I am trying to hit an ajax request via postman. The ajax request is sending dataType:` json` and data: {loginId: "[email protected]", client: "698983"}. While going into the postman, I am trying to send body parameters as JSON with all the above info and Content-Type: application/json in headers but it fails with 500. Any help ?

Related Questions

Sponsored Content

33 Answered Questions

[SOLVED] Disable same origin policy in Chrome

12 Answered Questions

[SOLVED] How to manually send HTTP POST requests from Firefox or Chrome browser?

16 Answered Questions

[SOLVED] Ajax request returns 200 OK, but an error event is fired instead of success

20 Answered Questions

[SOLVED] Wait until all jQuery Ajax requests are done?

15 Answered Questions

25 Answered Questions

[SOLVED] Is Safari on iOS 6 caching $.ajax results?

32 Answered Questions

[SOLVED] How to manage a redirect request after a jQuery Ajax call

17 Answered Questions

[SOLVED] Abort Ajax requests using jQuery

Sponsored Content