We can set and allow cross-origin-resource-sharing for
All domains , Specific domains and Not allow for any domains
But I wonder allowing CORS for specific domains meaningful.
If a hacker knows the domains that server allows. (e.g
Browsers are where CORS restrictions are enforced. And browsers know the real origin a script runs in. That’s how they work. If they didn’t, there would be zero security on the Web.
fetch() request—not against the value of the
In other words, browsers are what set the
Origin request header to send over the network—and they set it based on what they know to be the real origin.
So even if you manage to change the
Origin header a browser sends over the network, it’s not going to matter to the browser—it’s going to ignore it and continue checking against the real origin.
As far as CORS goes, servers just send back documents, with an
Access-Control-Allow-Origin header and other CORS headers, to any client that requests them.
Consider if you use
curl or something to request a document from a server: The server doesn’t check the
Origin header and refuse to send the document if the requesting origin doesn’t match the
Access-Control-Allow-Origin header. The server sends the response regardless.
And as far as clients go,
curl and non-browser tools don’t have the concept of an origin to begin with and so don’t usually send any
Origin header to begin with. You can make
curl send one—with any value you want—but it’s pointless because servers don’t care what the value is.
curl, etc., don’t check the value of the
Access-Control-Allow-Origin response header the server sends, and refuse to get a document if the request’s
Origin header doesn’t match the
Access-Control-Allow-Origin header in the server response. They just get the document.
curl, etc., browsers will not let your script get a document if the XHR or
fetch() call requesting it is from an origin not allowed in the server’s
And again, the way browsers determine what the origin is by already knowing what the origin is, not based on the value of whatever
Origin request header might end up getting sent in the request.