Cross-Origin Resource Sharing (CORS) is a security feature implemented in web browsers to protect users from malicious scripts that could be executed by a website hosted on a different domain. It restricts web pages or scripts from making requests to a different domain than the one that served the web page. This feature has been implemented in all modern web browsers, and it’s a critical aspect of web security. Many developers face CORS issues while sending HTTP requests to different domains from their applications. In this article, we’ll discuss how Postman Web handles CORS issues.
Postman Web allows you to send HTTP requests directly from your browser. However, it has a different mechanism implemented to solve the CORS issue. We will see another way to solve the CORS issue for your application.
Postman Web Client Routes the Request through Internal Servers
Instead of directly sending the request to the actual server from its UI, Postman sends the request to its own server. It sends other details, such as request type, request parameters (if any), etc., as custom headers in that request.
After Postman’s server receives the request, the original request is sent to the actual server. So now there is direct server-to-server communication. The first request that goes from the Postman client to Postman’s server doesn’t face CORS since both applications are on the same domain. The second request that goes from the Postman server to the actual server has no browser as an intermediary for the communication. We have covered in detail about this type of interesting architecture here.
However, there is a catch here. Since Postman Web routes the requests to its internal server, it may not be a secure practice as the requests might contain auth tokens, cookies, or any other sensitive information. This is where Requestly’s API client comes in.
How Requestly API client handles CORS
Requestly’s API client leverages Chrome extension APIs to solve this security-related shortcoming in handling CORS issues. When you hit an API endpoint, it creates an HTTP request and sends a message to the extension background process, which internally makes the call to the actual API endpoint and returns the response.
You can read more about how Requestly API Client works in this blog.