Answer the question
In order to leave comments, you need to log in
Why is it dangerous to specify Access-Control-Allow-Origin: * (allow access to a resource from any origin) on the server?
There is a payment system, requests for creating payments are made via API.
Its documentation is written in .php, but I know JavaScript and try to send XMLHttpRequest / Fetch requests, while catching an error:
" No 'Access-Control-Allow-Origin'
Right now I see 2 options:
1. Raise your proxy server to bypass CORS Requests going to the proxy, the proxy sends a request to the server and receives a response to which it adds Access-Control-Allow-Origin and sends it to the browser (this option is working, tested on a public proxy server)
2. Write to the support of the payment system and ask add Access-Control-Allow-Origin: *
Question:
1. What are the disadvantages of the first option?
2. Why is it dangerous for a payment system to allow access to a resource from any source according to option 2?
3. Is it possible for them to make changes or will they ignore me?
If Access-Control-Allow-Origin: * is an insecure method, then why is it so easy to bypass it through a proxy?
Answer the question
In order to leave comments, you need to log in
2. Why is it dangerous for a payment system to allow access to a resource from any source according to option 2?
3. Is it possible for them to make changes or will they ignore me?
1. What are the disadvantages of the first option?
If the API methods are intended for server-server interaction, then you need to pull them on the server side in your PHP script, and not take it out to the client. If you create a payment on the client side, then how will your server then make sure that the payment was really there?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question