# Same Origin Policy browser usage policy 1. CORS doesnt protect the server infomation ``` Access-Control-Allow-Origin: This header controls which other domains should be allowed to access the resources. This can be a wildcard (*) to allow all other origins to access the resources but you could also lock it down to specific domains. Access-Control-Allow-Methods: This header controls which Http methods are supported - methods not specified here will yield to CORS errors. Access-Control-Allow-Headers: This header controls which extra headers the client (!) may send with its request. If other headers are added, the request will lead to a CORS error response. ``` 2. CORS error and cant be fixed by adding headers to the client-side request: As written and explained above: The CORS headers need to be added to the response sent by the backend, not to the request sent by the client! cors 非設置在client request端,而是server回傳的response為了client web可使用 => request 設置cors header無益於cors使用 As mentioned earlier: If you don't have access to the code behind an API that's giving you a CORS error, you'll have no way of fixing it. That API doesn't want you to send requests - it's as easy as that.    same origin => browser implement website protection   cross origin cant get the response ### anchor  response send to the new site(B), site(A) can't get the response ** the request can be sent to server, but the response will be blocked by browser. => the server should filter the malicious request. ### form  ### script  a. this is one type of XSS(cross-site scripting) or CSRF(cross-site request forgery) can happen ### jsonp: abuse  ### web_storage  ### cookie :::info  by cookie jar, siteB send the request in siteA script (CSRF) :::  1. cookie broaden to parents/ subDomain   ** browser doesnt block request , only restrict the response send back to client      request-> server -> response -> browser CORS policy determine show the response       ###### tags: `CORS`,`SOP`