2

I'm writing a small script to access an external API for work. I originally did this in Python and everything worked fine.

I was then asked to try and do it in Javascript. Now, I'm no programmer really, but I do know (or believe) that Javascript is largely for client-side, whereas PHP or Python are really for server-side operations. When I wrote the script in Python I had no problems, but in Javascript I get a 

Response to preflight request doesn't pass access control check: No 
'Access-Control-Allow-Origin' header is present on the requested
resource.

error. From what I've read about CORS here and similar questions on Stack, that makes sense, but I don't really understand why I don't get a similar error in Python or PHP...

I'm fairly new to this so I'm probably missing a number of things, but I'd really appreciate any insight anyone can give me. If I've left out any important info, please let me know.

3
  • CORS checking is done only by Web browsers on the client side, so you run into it any time the script in a Web document at a particular origin makes a cross-origin request (uses XHR or Fetch to fetch some resource from a different origin). On the server side your code can fetch resources from any origin you want, without any CORS checking.
    – sideshowbarker
    Commented Oct 19, 2016 at 15:02
  • So can't you just tell the browser not to do any CORS checking, or is that something locked down within the browser?
    – Morgan
    Commented Oct 19, 2016 at 15:15
  • Similar question: Why does making a python Requests request work and Jquery ajax Get does not?
    – user2314737
    Commented Jan 27, 2017 at 11:02

1 Answer 1

Reset to default
4

From Mozilla's documentation:

For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and Fetch follow the same-origin policy. So, a web application using XMLHttpRequest or Fetch could only make HTTP requests to its own domain.

Since Javascript in the browser uses XMLHttpRequest and fetch to make HTTP requests, they're subject to CORS policy enforcement.

More information on the reasons for CORS:

CORS is intended to allow resource hosts (any service that makes its data available via HTTP) to restrict which websites may access that data.

Example: You are hosting a website that shows traffic data and you are using AJAX requests on your website. If SOP and CORS were not there, any other website could show your traffic data by simply AJAXing to your endpoints; anyone could easily "steal" your data and thus your users and your money.

The external API you're using likely implemented a CORS policy intentionally. For example, if the API requires an application-level secret key for authentication, a CORS policy would discourage the use of that key in a public environment (namely the browser). Alternatively, the API may have a list of acceptable domain names for CORS that doesn't include the domain you're currently using.

Those are just a few examples; there could be any number of reasons for an API to implement CORS headers.

Not the answer you're looking for? Browse other questions tagged or ask your own question.