XMLHttpRequest Same Origin Policy

Question

I spent the last 3 days studying how to make a cross domain request using XMLHttpRequest. The best alternative is indeed with JSONP which I am already using.

But I still

Answer 1

This happens because the same origin policy is applied on the client side (browser) by evaluating the following access control header values returned from the server:

• Access-Control-Allow-Origin
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers

As you can see, the request must first be completed on the server in order for the browser to inspect the returned headers. This is exactly the reason why your request execute on the server.

You can have a look at Priciples of the Same-Origin Policy by A. Barth.