The same-origin policy prevents Web application front-ends from loading resources that come from a different domain, protocol, or Cross-Origin Resource Sharing (CORS) policies can be used to relax this restriction. CORS policies that are too permissive may lead to loading content from untrusted or malicious sources.
1public void allowOriginNoncompliant(HttpServletResponse response) {
2 // Noncompliant: the Access-Control-Allow-Origin is set to allow any domain.
3 response.setHeader("Access-Control-Allow-Origin", "*");
4}
1public void allowOriginCompliant(HttpServletResponse response) {
2 // Compliant: the Access-Control-Allow-Origin is set to allow only a specific list of trusted domains.
3 response.setHeader("Access-Control-Allow-Origin", "mytrustedsite.com");
4}