Question posted in 
Before you tell me about Access-Control-Allow-Origin and whitelisting, assume for the sake of argument that I can’t touch the HTTP headers.
This is a hypothetical question.
My question:
- let’s say I have an app available at a domain and I want to send a POST request from another domain, but I own both domains.
- let’s also say, for the sake of argument, that I’m not at liberty to adjust CORS settings
So I can make an ajax request from website.com to app.website.com. but I have a second website, website2.com, which would also like to make an ajax request to app.website.com
If I were to create two CNAME records for app.website.com so that app.website2.com would point to the same app, could I then make an ajax request from either domain without necessitating the setting of Access-Control headers?
As far as I can tell, the only problem would be a possible SEO penalty from Google for not having a canonical URL for app.website.com, which is irrelevant as in my thought experiment it’s basically just an endpoint.
Anybody illuminate me?
2
Answers
The Same-Origin Policy judges by hostname (as part of the origin), not physical server.
You can’t do that.
To put it differently, if you use shared hosting, you must not get access to anyone else on that shared server.
Instead, you can use JSONP.
If you comply to the same hostname restriction (including the subdomain) then you can indeed use a CNAME to allow both domains to point to the same server.
If your question is about whether the name resolution of the CNAME is of importance for the CORS, then answer is “no it is not considered” and thus you can use this trick.