Home/ Questions/Q 8604985
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T02:42:45+00:00

I would like a concrete example in an answer if possible. For explanations sake

  • 0

I would like a concrete example in an answer if possible.

For explanations sake we have three players here.

  • My Server (myserver.com)
  • Client Server (myclient.com)
  • Client User (accessing data through myclient.com)

I’m making a web service available to my clients that allows them to retrieve their data in JSON format. In order for their websites to work they have to use the standard XOR workarounds – either making the request server-side or relying on me to set

Access-Control-Allow-Origin: http://myclient.com

So two part question here. First, why do I set the origin policy at myserver.com? Why does my server care who it serves content up to? Shouldn’t it be myclient.com that sets this? Concrete example here would be great.

Part two, I understand that JSONP works around this, but I’m worried about using it because I don’t understand the security implications from part one. What is the point of JSONP if I can just set Access-Control-Allow-Origin: *?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Lots of questions!

    1. JSONP is definitely dangerous if you intend to serve user-specific content. If the content the server is serving is completely public, and (probably) read-only, JSONP is a wise choice. Don’t use it for anything that assumes a ‘logged in state’ or authentication/authorization.

    2. CORS is definitely much better than JSONP, but it’s not supported in every (older) browser. If you want to support as much as possible, you will need some kind of fallback. CORS allows you to do requests other than GET, which greatly improves flexibility.

    3. The reason the target server needs to allow this, is mainly because javascript running on domain A, should not be able to access domain B. If domain A could ‘allow’ this, it implies you could create javascript applications that have access to the sandbox of any public server. Only the owner of domain B can explicitly allow the owner of domain A to access their content.

    4. Your argument (why does domain B care who accesses their resources) would normally be valid. But this is not to protect domain B, it is to protect the end-user. Domain A should not be allowed to perform requests on behalf of the end-user to Domain B without explicit permission.

    And just to be sure: unless you understand the security implications of JSONP quite well, CORS is likely a much safer choice.

    • 0