You can read more about HTTP here.
CORS - Cross Origin Resource Sharing.
Let's understand the difference between Origin and Site.
Let's take an URL:
http:// --> Scheme(protocol used)
app --> Sub-domain
paperless -> second-level domain
com --> Top-level domain
about --> sub-directory
Take a long URL like this below. (includes the port number and query string)
What is Origin?
Origin is a combination of scheme, domain, and port.
What is a Site?
The site combines the Top-level Domain and part of the Domain just before it.
In the example,
Here the Top-level Domain is 'com.'Here the site will be part of Domain just before TLD.
Fun fact: WWW is also a subdomain like 'app' and 'hello' above.
are of different origins.
HTTP Headers related to CORS:
origin:http://example.com --> automatically set by the browser
Access-Control-Allow-Origin: * --> accepts all origins
Access-Control-Allow-Origin: https://app.paperless.com --> allows only this site
It is essential to understand preflight requests. Preflight requests check whether the requested HTTP method is allowed on the server or not.
HTTP method used in the preflight request is Options
Specific requests don't trigger preflight requests; these are called simple requests.
As a rule of thumb, any requests that don't cause side-effect on server data are called 'Simple requests.'
OPTIONS /doc HTTP/1.1 Access-Control-Request-Method: POST Access-Control-Request-Headers: X-PINGOTHER, Content-Type
This will tell that I am going to send a request with the method 'Post'.If the request is sent, it may have some custom headers. Access-Control-Request-Headers give this custom header instruction: X-PINGOTHER, Content-Type. Prefix X will tell it is the custom header.
The response from the server would be
Access-Control-Allow-Origin: https://app.paperless.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER, Content-Type Access-Control-Max-Age: 86400 --> In seconds (24 hours) --> How long the preflight request can be cached