subject:"\[google\-appengine\] Re\: Trying to understand the use for \"Javascript Origins\" when creating a Web Client ID"

[google-appengine] Re: Trying to understand the use for "Javascript Origins" when creating a Web Client ID

2016-02-01 Thread Adam (Cloud Platform Support)

This is all standard CORS stuff and there isn't anything Google-specific going on with respect to the Allowed JavaScript Origins. The browser will set the 'Origin' header to the serving domain, usually in the preflight

[google-appengine] Re: Trying to understand the use for "Javascript Origins" when creating a Web Client ID

2016-01-31 Thread Ben Finkel

Hey Adam, thanks for the reply! So I understand CORS (at least at a high level) and I did read those posts from SO. I suppose my question is where these URLs enter the process. When I make a call to a Google API (say, calendarList.list) I have to pass in the client ID I've created, and Goog

[google-appengine] Re: Trying to understand the use for "Javascript Origins" when creating a Web Client ID

2016-01-30 Thread Adam (Cloud Platform Support)

The browser is in charge of setting the 'Origin' header and this would never be set to 'localhost' unless your browser is talking to the local machine. But you are right about the spoofing part in that malicious code outside the browser could technically set the origin to anything it wants. The