Issue
what is the difference when you use a specific cross origin and when you put * ?
for example
@CrossOrigin(origins = localhost:8080) or
@CrossOrigin(origins = "*")
does it have any security issue if it is * ?
Solution
The CrossOrigin was introduced to prevent background requests from untrusted websites.
Immagine the scenario:
- You are browsing on: malicious.example.com
- The website sends a background HTTP request to "DELETE http://facebook.com/my-account" to delete your account silently
You would be pretty mad if that could happen right?
That's the main reason for CORS. It prevents XHR request from non "trusted" origins. I'd encourage you to use CORS when you can to prevent such disasters to happen.
This is a simplified version, the server might also need to enable cookies and headers, and so for the Facebook DELETE to work, but... You got the idea
Answered By - Anthony Raymond
Answer Checked By - Pedro (JavaFixing Volunteer)