I want to allow client applications to make cross domain JSON requests to a

Question

0

Asked: May 26, 20262026-05-26T23:13:48+00:00 2026-05-26T23:13:48+00:00

I want to allow client applications to make cross domain JSON requests to a

0

I want to allow client applications to make cross domain JSON requests to a central data server. The clients and server will be on different domains.

To get around the “Origin null is not allowed by Access-Control-Allow-Origin.” error, I have the server set a:

Access-Control-Allow-Origin: *

header.

I see here (http://www.w3.org/wiki/CORS_Enabled) that cross domain should only be used for “public data which doesn’t require cookie or session based authentication”.

Is is not safe to use session/cookie based authentication when using the Access-Control-Allow-Origin: * header? If not why?

Thank you.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T23:13:49+00:00

Having a CORS ruleset of Access-Control-Allow-Origin: * isn’t a full Same-origin policy bypass, and is probably safe.

Having this header set on every page allows for unauthenticated resource-requests. Authentication cookies are not implicitly included with these requests, so a cross-site XHR couldn’t be used to lets say; read your email, or read CSRF tokens on a remote domain – because these requests would require a cookie or a bearer token.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I want to allow client applications to make cross domain JSON requests to a

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply