Will CORS policy prevent resource access from non-browser requests?

by

However, does this prevent Http requests from a CURL, or other native applications/web-servers (ie. a request written and run via PHP) from successfully retrieving data from that resource?

No, CORS config won’t prevent non-browser stuff from successfully retrieving your resources.

The same-origin policy is enforced only by browsers. It’s not enforced by servers. (And CORS is a way to relax the same-origin policy.) It’s not the case that if there’s some lack of any CORS details in a request, servers somehow block requests, or refuse to send responses.

Instead when you configure CORS support on a server, all that the server does differently is just to send the Access-Control-Allow-Origin header and other CORS response headers.

The way the protocol works is, regardless of what CORS configuration you make on the server side, all clients—even browsers—continue to get responses from the server as they normally would. But the difference is, curl or other native apps or backend server-side programming environments such as PHP will not prevent your client code from accessing the response if it doesn’t include the Access-Control-Allow-Origin response header. But browsers will.

Specifically, even if you see an error in your browser devtools that a cross-origin request from your frontend JavaScript code failed, you’ll still be able to see the response in browser devtools.

But just because your browser can see the response doesn’t mean the browser will expose it to your frontend JavaScript code. Browsers only expose responses from cross-origin requests to frontend code running at a particular origin if the server the request went to opts-in to allowing the request, by responding with an Access-Control-Allow-Origin header allowing that origin.

But browsers are the only clients which do that. Browsers are the only clients that implement the same-origin policy and the CORS protocol. curl or other native applications or HTTP client requests made server-side runtimes such as PHP don’t implement the CORS protocol, so you can’t block requests from them by doing any CORS configuration on the server side.

So If you want to block requests to a resource from non-browser clients, you need to do it using something other than CORS configuration.

More Related Contents:

  1. Configure cors to allow all subdomains using ASP.NET Core (Asp.net 5, MVC6, VNext)
  2. where to download the dotnet-dev-win-x86.1.0.0-preview 2-1-003180
  3. How to enable CORS in ASP.net Core WebAPI
  4. How to run stored procedures in Entity Framework Core?
  5. Entity Framework Core service default lifetime
  6. How to configure ASP.net Core server routing for multiple SPAs hosted with SpaServices
  7. How to read web.config file in .Net Core app
  8. How to specify the view location in asp.net core mvc when using custom locations?
  9. Export html to pdf in ASP.NET Core
  10. dotnet publish doesn´t publish correct appsettings.{env.EnvironmentName}.json
  11. Google JWT Authentication with AspNet Core 2.0
  12. Is it possible to self-host an ASP.NET Core Application without IIS?
  13. OData Support in ASP.net core
  14. Get Current User in a Blazor component
  15. .Net Core on Raspberry Pi 4 with Raspbian?
  16. Is Kestrel using a single thread for processing requests like Node.js?
  17. ASP.Net Core SAML authentication
  18. Remove “Server” header from ASP.NET Core 2.1 application
  19. Include all dependencies using dotnet pack
  20. How to redirect to log in page on 401 using JWT authorization in ASP.NET Core
  21. How to correctly get dependent scoped services from ISecurityTokenValidator
  22. How to publish environment specific appsettings in .Net core app?
  23. Create Custom HTML Helper in ASP.Net Core
  24. Read request body twice
  25. Modify middleware response
  26. How to start Quartz in ASP.NET Core?
  27. How to inject a reference to a specific IHostedService implementation?
  28. Access to XMLHttpRequest has been blocked origin ASP.NET CORE 2.2.0 / Angular 8 / signalr1.0.0 [(CORS Policy-Access-Control-Allow-Origin) failed]
  29. PayPal Transaction Search API: PERMISSION_DENIED, No Permission for the requested operation
  30. Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found

Leave a Comment