Why not substitute the cors headers?

On the part of the backend sent headers:
header("Access-Control-Allow-Origin: validate.ru");
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');


From the front make an ajax request using jquery. And here is the question. Why if you add this line in the query parameters
dataType: 'jsonp',
the tab network I see that the server put cors headers, but without this line, the cors headers somewhere deyus.

There is still such a clarification. The front is located on the local host. But the host set up. That is, the queries go with the name origin=my_domain.ru
March 23rd 20 at 19:05
1 answer
March 23rd 20 at 19:07
Quote c api.jquery.com/jquery.ajax

Script and JSONP requests are not subject to the same origin policy restrictions.


I.e. when you request dataType:'jsonp' CORS is not used. Here the problem is not jsonp, and CORS is not configured correctly. Unfortunately, the example You gave does not give a complete picture of what is configured wrong.
That's just the jsonp headers, then come correct. Not working simple ajax request. The simplest example is there: $.ajax({url:"som_url.ru"}) headers from the server will not be delivered.
If the list of parameters to add dataType:'jsonp', headers will come - zoie.Ber commented on March 23rd 20 at 19:10
Can be remote Apache somehow cut the headers? - zoie.Ber commented on March 23rd 20 at 19:13
There is no error in the headers
header("Access-Control-Allow-Origin: validate.ru"); - t. e allowed to make requests validate.ru
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');


And origin you write origin=my_domain.ru

Plus you write Access-Control-Allow-Credentials: true (respectively in the query is also removed credentials), ie it is envisaged that the request will go to the authorization data.

Maybe you need to remove the header Access-Control-Allow-Credentials, and set "Access-Control-Allow-Origin: *"

More info is in this article - Donnell commented on March 23rd 20 at 19:16
@'donnell,

This is removed, the result is the same:
header('Access-Control-Allow-Credentials: true');

So, too, did the
"Access-Control-Allow-Origin: *" - zoie.Ber commented on March 23rd 20 at 19:19

Find more questions by tags CORSjQueryPHP