[14:45] If I add "add_header Access-Control-Allow-Origin *;" - in nginx conf, for CORS, this should allow our web app to connect to an API on a third party - correct? I may be missing something basic here [14:59] no [14:59] that means * is allowed to access your api [15:00] patdk-lap: that's what I thought. I need to talk to the third party site we're talking with and have *them add us* - right? [15:01] yes, otherwise any scammer could say, yes, we are allowed to access the banks api's [15:01] patdk-lap: and can you also confirm, the only reason we need to do this is because we're talking to their API 100% via a Vue web app. [15:02] eg. if this was all server-side / on the backend, we wouldn't have to deal with CORS... we're authenticating via an API and doing what's needed [15:02] not sure what a webapp has to do with it [15:02] patdk-lap: eg. web app because it's client-side API calls from domainA.com to domainB.com [15:02] it's cause the browser is asking if the *website it loaded the app from* is allowed to access that api [15:03] if you disabled cors support on your browser, likely what your doing serverside, then yes, it wouldn't matter [15:06] patdk-lap: really appreciate your help here. To repeat back to ensure I understand: We have ourapp.com and we have a Vue.js app talking to anotherapp.com's API. We're getting a CORS error. If we disable CORS in Chrome tools, this all works. I need to talk with the API of anotherapp.com we're trying to talk with and get them to whitelist our domain from ourapp.com. We're getting this error because [15:06] ourapp.com web app which shows in the browser is asking if the API we're trying to talk to at anotherapp.com has allowed us to access their API? [15:07] yes [15:09] patdk-lap: and this is required because it's all client-side, Javascript based. If it was on the backend, would we still have to do this? Maybe this API isn't that developed and they whitelist domains instead of just providing an API key as an additional measure [15:09] well, normally cors is not enabled on backend http libs, but if it was, or if you where using chrome in the backend, yes [15:11] yeah, this is a web API which seems a bit odd. I'm not sure if the dev made a mistake and is doing this incorrectly, or the web API we're connecting to has CORS enabled. Likely, because we're using Chrome with Vue.js - maybe that's requiring this === mdeslaur_ is now known as mdeslaur === NightMonkey_ is now known as NightMonkey