CORS allowed-origin restrictions aren’t causing the server to reject requests

Question

I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.

My application.properties file has the following line (ref1 ref2).

Answer 1

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

CORS allowed-origins settings don’t cause servers to block requests.

And because the server isn’t blocking the request, that doesn’t prevent you from opening the URL directly in a browser.

The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to frontend JavaScript in web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…) or whatever to make cross-origin requests.

So CORS isn’t a way to cause servers to block requests. And so it also isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent any non-web-application tools like curl or Postman or whatever from accessing the URL.