I'm testing CORS with the Postman tool and I constantly get
access-control-allow-origin → null
for GET or OPTIONS requests to
http://localhost:4000/api/accounts?Host=http://localhost:4200/&X-Origin=http://jquery.com
Also using Origin instead of X-Origin doesn't change the outcome.
Meanwhile, if I use cURL like this
curl -H "Origin: http://jquery.com" --verbose http://localhost:4000/api/accounts
I do gain access to the API
< access-control-allow-origin: http://jquery.com
I've also opened the jQuery website using http and the chrome Javascript console in order to execute this code:
$.get("http://localhost:4000/api/accounts").then(function(val){console.log(val);})
And it printed the JSON object returned by the API.
Now my questions are as follows:
How can I properly test CORS using Postman? I've noticed that when set the allow origins option on the server to
*Postman does returnaccess-control-allow-origin → *
The problem mentioned above appears only when I explicitly allow a set of origins like:
`origin: ["https://www.getpostman.com/", "http://localhost:4200/", "http://jquery.com"]`
- I noticed that allowing
http://jquery.com/instead ofhttp://jquery.comwill not allow requests from which the origin isOrigin=http://jquery.com? - I've noticed that cURL returns the contents of the resource (in this case JSON data) even if the request comes from non-authorized origin. Is this normal or does it mean that I forgot to configure something on the server that exposes this data?
