Apparently, I have completely misunderstood its semantics. I thought of something like this:
http://siteA– the origin.
- The response header of MyCode.js contains Access-Control-Allow-Origin:
http://siteB, which I thought meant that MyCode.js was allowed to make cross-origin references to the site B.
- The client triggers some functionality of MyCode.js, which in turn make requests to
http://siteB, which should be fine, despite being cross-origin requests.
Well, I am wrong. It does not work like this at all. So, I have read Cross-origin resource sharing and attempted to read Cross-Origin Resource Sharing in w3c recommendation
One thing is sure – I still do not understand how am I supposed to use this header.
I do not want to utilize JSONP.