What is CORS policy & how to solve it?
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
For Better Understanding, I am using a simple Express.js project for API calls. You can also use others for API calls. I am serving the server in port 3000.
for the client side, I am using a Basic HTML template like the given below. there this a script and in there I have the function named fetechData. In that function, i am calling that API that I created using express above
In my script file, I have an API call and for the API call, I am using fetch. Usually, we don't need to say the method type if it gets because by default fetch uses the get method but for better understanding, I am adding the method in the fetch.
Now our project is ready to work. if I run the HTML file we can see there is a button name get data. If we press then we will see in the console that
This actually happened because if the client domain and the server site domain are different then it
breaks the CORS Policy. Then what is the CORS Policy?
Basically, It is a browser Policy. If One site is sending a request to another server the server then it must be send the request from the same domain or else it will violate the CORS Policy and the browser will reject the request. If we check the network tab in the browser we can see that in the header the is no Access-Control-Allow-Origin present. For getting this we cant get it from the client side unless the serverside resolves this issue
This error only can be handled in the server-side code or backend code.
On the server-side, It must allow the domain(our project domain) in the response header.
If we want to solve this in our code we should follow the given example.
we have to install the cors package using this command
then we have to modify our code
wow, we just fixed the error. we are just allowing the origins from where we will accept the API calls. If there are multiple platforms we should bind them in an array.
If we want to create a public API we can use the "*" in the origin
THIS IS HOW WE CAN SOLVE THE CORS POLICY ERROR
In Addition
There is something different in the PUT API call. rest are the same but in the PUT API call, they send a preflight request it checks whether he is accessible to send data or not. The preflight uses send method name "options".
if we check the header in the console we will see that Access-Control-Allow-Methods: GET, HEAD, PUT, PATCH. It is set by that package. On the other hand, if we want to provide more security we can also set what type of method we are accepting from that origin
From the above example, we can see that we are only accepting the GET & POST method from that origin(127.0.0.1:5500). If someone tries to PUT or DELETE it will again return that CORS policy error.
There are so many things we can also do but only for the basic cases I try to explain why cors policy error occurs
thanks for reading the article it was inspired by Learn with Sumit - LWS - Bangladesh