79314589

Date: 2024-12-28 21:41:45
Score: 0.5
Natty:
Report link

Adding a simple explanation to the accepted answers (Applies to only websocket and http/https requests):

In general,

  1. Origin is sent for all websocket requests.

  2. For Http/Https Requests:

It’s primarily the mode and destination that decide whether origin is sent or not.

- a. If mode is navigate, origin header is always omitted.(Clicking on link or entering URL in address bar)

- b. If mode is "cors" and destination is empty, origin header is not sent for Same origin GET and HEAD. But for same origin POST, PUT etc… origin header is sent.(destination is empty when fetch()/XMLHttpRequest api is used and cant be changed, but when we're using HTML destination cant be set to empty manually with the exception of and )

- c. If mode is cors but destination is not empty, origin header is sent for all same origin and cross origin requests.(This can only be done through HTML, i.e. by using img, script, link etc... tags. No way to do this through fetch()/XMLHttpRequest call)

- d. If mode is no-cors and method is HEAD or GET, origin header is NOT sent irrespective of destination value and the resource being same origin or cross origin(mode can be set to "no-cors" through HTML(the default setting for embedded resources)/fetch() but not with XMLHttpRequest).

- e. If mode is no-cors and method is POST, origin header is sent irrespective of destination value and the resource being same origin or cross origin.( This can only be done using fetch() API as you cant set method to POST with "no-cors" mode using HTML or XMLHttpRequest).

Also, presence or absence of origin does nt determine whether the resource participates in CORS protocol or not, i.e. same origin resources don’t obey Access-Control-Allow- headers present in response headers even if origin header is sent in the request*.

But, when we're using fetch() API call, Response.type seems to indicate whether CORS protocol was followed or not.

If Response.type is "basic", the request was same-origin in nature and CORS protocol was NOT followed.

If Response.type is "cors", the request was cross-origin in nature and CORS protocol was followed.

If Response.type is "opaque", the request was cross-origin in nature BUT CORS protocol was NOT followed.

Reasons:
  • Long answer (-1):
  • No code block (0.5):
  • Low reputation (1):
Posted by: iAm Satya