{"id":21,"date":"2022-05-13T01:47:24","date_gmt":"2022-05-13T01:47:24","guid":{"rendered":"https:\/\/blogs.oregonstate.edu\/castblog\/?p=21"},"modified":"2022-05-13T01:47:24","modified_gmt":"2022-05-13T01:47:24","slug":"cors-and-same-origin-policy","status":"publish","type":"post","link":"https:\/\/blogs.oregonstate.edu\/castblog\/2022\/05\/13\/cors-and-same-origin-policy\/","title":{"rendered":"CORS and same-origin policy"},"content":{"rendered":"\n<p>For our capstone project, we encountered a same-origin restriction issue.  What this means is that our browsers were preventing our frontend web server to retrieve API responses from our backend server.<\/p>\n\n\n\n<p>The same-origin policy essentially means that modern day browsers will prevent domain A from loading resources from domain B.  This is primarily due to security.  For example, someone could try to make requests to Wells Fargo from a site using your Wells Fargo cookies.  With same-origin policy in place, this activity is restricted (unless explicitly allowed by the server).<\/p>\n\n\n\n<p>There are a few ways around this.<\/p>\n\n\n\n<p>The first is deploying the frontend and backend on the same server.  This way, the servers will be under the same domain.  This architecture would adhere to the same-origin policy, and would not trigger restrictions within a browser.<\/p>\n\n\n\n<p>Another way to work around this is to have the middleware allow requests from specific domains.  There&#8217;s an ExpressJS CORS package that allows requests incoming from authorized domains.<\/p>\n\n\n\n<p>Our team has decided to consolidate the frontend and backend under one server.  Stay tuned to see how this turns out!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For our capstone project, we encountered a same-origin restriction issue. What this means is that our browsers were preventing our frontend web server to retrieve API responses from our backend server. The same-origin policy essentially means that modern day browsers will prevent domain A from loading resources from domain B. This is primarily due to [&hellip;]<\/p>\n","protected":false},"author":12276,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-21","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/posts\/21","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/users\/12276"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/comments?post=21"}],"version-history":[{"count":1,"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/posts\/21\/revisions"}],"predecessor-version":[{"id":22,"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/posts\/21\/revisions\/22"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/media?parent=21"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/categories?post=21"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/castblog\/wp-json\/wp\/v2\/tags?post=21"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}