Keywords: CORS | Same-Origin Policy | Cross-Origin Requests | Browser Security | XMLHttpRequest
Abstract: This article provides an in-depth examination of the fundamental reasons why JavaScript code encounters 'No Access-Control-Allow-Origin header is present' errors in browsers, while contrasting why Postman tool remains unaffected by these restrictions. Through analysis of same-origin policy security mechanisms, CORS protocol workings, and different execution environments between browsers and extensions, it reveals behavioral differences in cross-origin requests across various scenarios. Combining specific code examples and practical cases, the article systematically explains the design philosophy of modern web security models, offering developers comprehensive technical perspectives on cross-origin communication.
Security Foundations of Same-Origin Policy
Modern web browsers implement the same-origin policy as a core security mechanism, which restricts how documents or scripts from one origin can interact with resources from another origin. Same-origin is defined as exact matches of protocol, domain name, and port number. When JavaScript code attempts to initiate cross-origin requests through XMLHttpRequest or Fetch API, browsers automatically perform same-origin checks, serving as a crucial defense line protecting users from malicious website attacks.
Working Principles of CORS Protocol
Cross-Origin Resource Sharing (CORS) is an HTTP header-based mechanism that allows servers to indicate which origins other than their own can access their resources. When browsers detect cross-origin requests, they automatically add Origin headers to identify the request source. Servers need to respond with appropriate Access-Control-Allow-Origin headers to authorize cross-origin access. If the server doesn't provide this header or the provided value doesn't match the request origin, the browser will prevent JavaScript code from accessing the response content.
Fundamental Differences Between Browser Environment and Extensions
Postman, as a browser extension, operates in a different execution environment than regular web pages. Extensions possess higher privilege levels, allowing them to bypass same-origin policy restrictions and communicate directly with remote servers. This design enables development tools to test API interfaces without considering CORS constraints. The following code example demonstrates typical cross-origin request scenarios in browsers:
// Example of cross-origin request in browser
const response = await fetch('https://api.example.com/data', {
method: 'GET',
mode: 'cors',
credentials: 'include'
});
// If the server doesn't set appropriate CORS headers, this request will be blocked by the browserPractical Case Analysis
Scenarios described in reference articles further confirm this mechanism. When developers attempt to access remote APIs from local environments, even with correctly configured client-side code, requests will still be blocked by browsers if the server-side doesn't implement CORS support. This situation commonly occurs during development testing phases, requiring developers to ensure backend services are properly configured with CORS headers or use proxy servers to handle cross-origin requests.
Security Considerations and Best Practices
Although CORS mechanisms might inconvenience development, their security value cannot be overlooked. Arbitrarily relaxing CORS restrictions may expose applications to security threats like Cross-Site Request Forgery (CSRF). It's recommended to precisely configure Access-Control-Allow-Origin headers in production environments, avoiding wildcards and explicitly specifying allowed origin domains. For development environments, consider using browser extensions, proxy servers, or development server CORS middleware to simplify testing processes.
Technical Implementation Details
Modern browsers employ complex validation processes when handling cross-origin requests. For requests that might cause side effects on server data (such as POST, PUT, DELETE), browsers first send preflight requests to confirm whether the server allows the cross-origin request. Only after receiving positive preflight responses will they send the actual requests. This mechanism ensures cross-origin operation security but also increases request complexity.
// Preflight request example
// Browser automatically sends OPTIONS request to verify cross-origin permissions
const preflightCheck = await fetch('https://api.example.com/data', {
method: 'OPTIONS',
headers: {
'Access-Control-Request-Method': 'POST',
'Access-Control-Request-Headers': 'Content-Type'
}
});Understanding browser security models and development tool differences is crucial for modern web development. By deeply mastering CORS mechanism workings, developers can more effectively debug cross-origin issues, design secure API interfaces, and choose appropriate testing strategies across different environments.