Let me tell you why I think this subject is very important one…
In order to retreive data in a website we have 2 options:
- to make requests to the same FQDN
- to make requests to different FQDN (subdomains are also included here)
The second option is CORS subject, and involves a greater number of security settings such as CSP headers, FP headers, Access Control headers with preflight requests, therefore a much longer response time. It is also much more difficult to protect against unwanted XSS on backend. So, I think this second scenario as a last resort option.
Now, to be able to use the first scenario we need to be able to isolate a number of routes, like admin panel related routes, api routes, graphql, documentation and generally speaking all the plugin related routes. If we can’t isolate those routes we can’t apply any access control rules on downstream server.
From what I’ve seen, plugins are easy to isolate because they have a correct and unique prefix. The problem occurs with API and the dashboard. Therefore those urls in the server.js MUST both be used … and should work correctly. Initially I tried to add both urls, but after seeing that it didn’t work I told myself to try one step at a time.
Apart from that, I also noticed that if I run npm run start when I access example.com/ that DEVELOPMENT label does not become PRODUCTION, in console too.