html5 - How should the Access-Control-Allow-Origin of the CORS mechanism be set?

Question

Using cors across domains requires the target server to add your host in Access-Control-Allow-Origin or set Access-Control-Allow-Origin to *. If the target server is a third party, it seems unrealistic for him to add me. If it is a public API, it cannot be added. In this case, is it set to *? If set to * to accept requests from any domain name, will there be any problem with XSS attacks?

Answer 1

Public APIs such as Baidu API require a secret key to adjust the interface. To adjust the interface of a third-party server, you need to apply for whitelisting. . .

Answer 2

For security considerations, most open interfaces require signature verification. You can take a look at Alibaba’s open interface https://market.aliyun.com/data

Answer 3

Pay attention, good question