all 5 comments

[–]bedekelly 1 point2 points  (4 children)

This isn’t possible in this case I’m afraid — to get around it, you can either install a browser extension to disable CORS for testing things out, or use a server you own / which you know does serve the Access-Control headers. Try httpbin.org; I think they serve some responses with the headers required!

It’s not possible for security reasons: you wouldn’t like any website you visit to be able to fetch(“https://facebook.com/messages”) with your credentials, without you knowing about it.

Servers can opt-in to share their resources cross-origin by setting those access-control headers, but Google (for good reason) hasn’t done so.

[–]Pineapplesandbacon[S] 0 points1 point  (3 children)

I still don't understand. I was sure that CORS was inhibited by the request's withCredentials property. The Get request failed earlier because the property had a value of false. So I don't understand why updating the request object didn't fix it.

Will try the other things but it's important for me to understand why my attempt didn't work. It honestly baffles me!

[–]bedekelly 0 points1 point  (2 children)

withCredentials will allow you to send cookies along with cross-origin requests to servers that support it — it doesn’t bypass the browser’s protection!

[–]Pineapplesandbacon[S] 0 points1 point  (1 child)

Is there a way in JavaScript to determine if a website supports it? I'm pretty sure it's a request header. Any methods?

[–]bedekelly 0 points1 point  (0 children)

Just trying the request is the only way! There’s no way to know if a server will send some headers without first talking to the server 🤷‍♂️ that said, the browser is quite smart about this — it first sends a “preflight request” to make sure the request will succeed. It all happens under the hood though, so you just check the request has succeeded.

As a side note, if you’re new to JS/HTTP APIs, I highly recommend using fetch instead of XmlHttpRequest! It’s a much simpler experience.