> The only thing blocked would be client side fetch.
Exactly what I need. My API is public I just don’t want someone other than my own website to consume it. Is it that hard to understand?
> The only thing blocked would be client side fetch.
Exactly what I need. My API is public I just don’t want someone other than my own website to consume it. Is it that hard to understand?
That’s… not what cors does? CORS will only block browser-mediated “non-simple” requests, they don’t prevent other systems from accessing it as long as they don’t use a browser (or disable CORS in a headless browser).
I'm pretty sure they understand that since they wrote that the resources will need to be proxied.
They just want to prevent hotlinking/leeching.
SOP does not prevent hotlinking in the first place, a hotlink is simple request (the most simple if anything), CORS isn’t going to be in the path at all.