i'm developing web application. during development, want locally hosted application can send xmlhttprequest domain.
i googled around, lot of materials allow cors on chrome, need use --disable-web-security option. server needs implement response header: access-control-allow-origin: *.
does mean if server has implemented cors, normal chrome user still won't able send cross origin request because --disable-web-security not enabled?
if that's case, what's point server implement cors? normal user won't know , turn on --disable-web-security option.
after did testing, have got answer.
of online materials or blogs not clear point, can send cross origin request by:
- either has server implement cors, i.e. response header needs have
access-control-allow-origin: * - or
--disable-web-securitychrome browser convenience
so need have 1 of above cross origin request work. it's not necessary both ensure server implemented cors , disable web security of web browser.
Comments
Post a Comment