By IsraGab


2016-03-27 17:51:04 8 Comments

This subject has been asked a couple of time, but I still don't understand something:

When I read answers about

No 'Access-Control-Allow-Origin' header

issue, it says a setting should be set on the requested server in order to allow cross domain: add_header 'Access-Control-Allow-Origin' '*';.

But, please tell me why when asking from postman (which is a client), It's working like a charm and I have a response from the requested server?

Thank you

3 comments

@user3724317 2017-11-05 19:05:58

If you use a website and you fill out a form to submit information (your social security number for example) you want to be sure that the information is being sent to the site you think it's being sent to. So browsers were built to say, by default, 'Do not send information to a domain other than the domain being visited).

Eventually that became too limiting but the default idea still remains in browsers. Don't let the web page send information to a different domain. But this is all browser checking. Chrome and firefox, etc have built in code that says 'before send this request, we're going to check that the destination matches the page being visited'.

Postman (or CURL on the cmd line) doesn't have those built in checks. You're manually interacting with a site so you have full control over what you're sending.

@tgkprog 2018-04-02 21:56:05

More accurately postman does not send a XmlHttp Request that would get checked but a top level network call (like your opening the URL on a new browser tab) so it does not get kicked in even when in extention

@Felipe Roos 2017-08-18 20:19:20

SOP is a server side config which clients decide or not to enforce. Most browsers do enforce it to prevent issues related to CSRF. Most developer tools don't care about it.

@IsraGab 2016-04-07 20:07:40

As @Musa comments it, it seems that the reason is that:

Postman doesn't care about SOP, it's a dev tool not a browser

By the way here's a chrome extension in order to make it work on your browser (this one is for chrome, but you can find either for FF or Safari).

Check here if you want to learn more about Cross-Origin and why it's working for extensions.

Related Questions

Sponsored Content

6 Answered Questions

20 Answered Questions

[SOLVED] Response to preflight request doesn't pass access control check

5 Answered Questions

[SOLVED] CORS Access-Control-Allow-Headers wildcard being ignored?

  • 2012-10-30 20:13:26
  • Ben Reeves
  • 120619 View
  • 106 Score
  • 5 Answer
  • Tags:   http browser cors

13 Answered Questions

[SOLVED] How does Access-Control-Allow-Origin header work?

9 Answered Questions

[SOLVED] CORS - What is the motivation behind introducing preflight requests?

18 Answered Questions

[SOLVED] Origin is not allowed by Access-Control-Allow-Origin

8 Answered Questions

[SOLVED] Setting HTTP headers

14 Answered Questions

2 Answered Questions

[SOLVED] CORS - How do 'preflight' an httprequest?

Sponsored Content