'How to check a domain has enable CORS or not

I tried to access this API click here for more info

POST https://api.line.me/v2/oauth/accessToken

but always get the error: 

XMLHttpRequest cannot load https://api.line.me/v2/oauth/accessToken.
No 'Access-Control-Allow-Origin' header is present on the requested resource

Now I want to make sure that domain (and other, example: facebook, twitter, etc...) enable CORS, how I can do that?

cors


Solution 1:[1]

A core part of the CORS protocol is the Origin request header that browsers send when handling cross-origin requests initiated from frontend code. So if from a non-browser client/tool you want to emulate a browser-based request, you need to send the Origin header:

curl -i -H 'Origin: http://sample.com' \
  'https://access.line.me/dialog/oauth/weblogin?response_type=code&client_id=12345&redirect_uri=https%3A%2F%2Fsample.com%2Fauth&state=123abc'

To examine the response, you also need to tell the client/tool to show you the response headers. In the example above with curl, that’s what the -i option does.

And so finally, to determine whether the server sending the response has CORS enabled in the response, you need to look for the Access-Control-Allow-Origin response header there.

In the case of the https://access.line.me API, the Access-Control-Allow-Origin header won’t be found in the response—which is unsurprising given the docs for its “Web Login flow” https://developers.line.me/web-api/integrating-web-login-v2#steps_web_login:

The LINE Login process for web applications (Web Login) is based on the OAuth 2.0 authorization code grant flow. Your application must be able to make requests server-side and receive data from the LINE Platform.

That is, the docs specifically state a need to make requests from the “server-side”, and nowhere else in those docs is there any mention of support for requests made from frontend JavaScript code running a browser, nor any code examples of how to make a request using JavaScript.

In general, if a particular service/API is CORS-enabled and has docs on how to make requests to that service/API, those docs give examples/details of how to do that from frontend code.

In other words, if docs for a particular service/API don’t give examples/details of how to make requests to it from frontend JavaScript running in a browser, it probably doesn’t support CORS.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

CORS : Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request [duplicate]

How to allow CrossOrigin from all domains?

How to get a cross-origin resource sharing (CORS) post request working

HTTP response 401 Unauthorized to CORS preflight request on ADFS WIA endpoint

Failed to load resource: Preflight response is not successful

Issue: No 'Access-Control-Allow-Origin' header is present on the requested resource

How do I configure actix-web to accept CORS requests from any origin?

CORS issues: The 'Access-Control-Allow-Origin' header mustn't contain multiple values

Access to Image from origin 'null' has been blocked by CORS policy

Can/should HTML5 Web Workers use CORS for cross-origin?

How to enable CORS in flask

‘Access-Control-Allow-Origin’ missing when uploading to YouTube API

Frontend JavaScript request gets 302-redirected but ultimately fails

I get CORS error when I try to access metadata stored on IPFS

Angular4 CORS header contains multiple values