Technical question - cross origin requests

Started by Matty, September 18, 2020, 16:14:35

Previous topic - Next topic

Matty

Good Day.

I've known for a while that browsers are designed to not accept http responses from cross origin xmlhttprequest commands in Javascript.

Eg site A has php file called myform.php

Websites with same domain as site A may request myform.php but website B on site B may not receive a response from myform.php in most browsers because the domains are different.

CORS policy prevents this.

There is a header however that site A myform.php can include called 'Allow Cross Origin Requests: (from specific sites)'

Now my confusion is this:

This restriction is browser level.  So a file that makes a http request in code not a browser such as in an Android app, a Windows executable, a curl request does not have this restriction.  That's fine.

But what I've discovered is that in Chrome on my tablet device the restriction is ignored.  But on chrome on my desktop it is not.

So, eg, my game is hosted on a portal's site on a different server.  It makes a http request to a hiscore.php file on my server.  If the game is accessed through my browser on my own website no problem.  If hosted on another site and accessed through a browser it should deny the request for high scores.

Now...weirdly-this is correct and normal, except:On my desktop this behaviour is standard and correct.  On my tablet my game hosted elsewhere CAN see the high score table.

Wtf?

Derron

https://developer.mozilla.org/de/docs/Web/HTTP/CORS

According to this it should work .... (as your API surely does allow cross origin requests...)


bye
Ron