0

This is a trivial question, I know, but I just can't figure it out properly.

I have a website http://a.com that references a script from http://b.com/script.js . Where should I put the access-control-allow-origin header - on a.com or on b.com?

zmbq
  • 36,789
  • 13
  • 91
  • 160

1 Answers1

1

Browsers follow the rule of "same origin".

It means a page loaded from a.com:80 can only access resources from a.com:80

If the browser wants to load a resource from b.com:443 in an html document provided by a.com:80 it must be explicitly allowed by a.com:80

To answer, the html document(s) returned by a.com:80 must include the following header

access-control-allow-origin=b.com:443

to allow the browser to load something from b.com:443

Mumrah81
  • 2,036
  • 2
  • 15
  • 23