Suppose I have an app at www.example.com (a)
If my resource is at www.someotherdomain.com (b) and I make an AJAX call from (a) to (b) then CORS rules would apply.
However if my resource is located at api.example.com (c) then one would expect to avoid CORS when making an AJAX request from (a) to (c) - however, I have found this not to be the case.
CORS rules still apply when making requests across subdomains - is this true?
Is there away around this rule (without using JSONP)?
I cant imagine that all requests made between www.amazon.com and resource.amazon.com, for instance, are always CORS requests. Managing the headers and preflight request/response seems tedious & costly at scale.
Anything Im missing here?
CORS is for a single set of protocol:domain:port, or null, or *. See https://www.w3.org/TR/cors/#access-control-allow-origin-response-header.
So the answer to your question is, Yes, CORS rules will still apply to your subdomains.