Difference between normal GET and GET via XHR?

A

Alexey Avdeev2019-01-06 14:25:12

CORS

Alexey Avdeev, 2019-01-06 14:25:12

I don’t quite understand the difference in detail, tell me if I correctly identified the differences for myself

Let’s take a regular GET: a site with the abc.com domain loads an image from the xzc.com domain, and if there is no hotlink protection on the xzc.com server side, then the image is loaded and displayed Let's take GET via XHR: If the Access-Control-Allow-Origin * header is not set on the

xzc.com server side, then the
image will not load, the server will return an error

headers are not needed.
The whole difference is that through XHR the page is updated dynamically in the background, without blinking the page, right?

Another question follows from this, there is a certain api url, if you request it from the domain via xhr, then the server will check where the request was made from and if it is allowed, it will return the answer

. And if you make a direct request from the browser? Or from, say, Paw or Postman, in which case the domain is missing, how will the server with api behave, or is it all individually configured

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

R

rPman, 2019-01-06
@rPman

A direct request from the browser that bypasses Access Control Origin is requests from the flash/silverlight/java applet or even (research question) requests from xslt/svg/request for codecs or licenses from avi...what else can make requests to the server on its own.
There are also browser extensions and plugins, they work from a privileged context and can also access anywhere.