How to deny a CORS request

When an Access-Control-Allow-Origin HTTP header is missing in the response to a CORS (cross-origin resource sharing) preflight, does it mean:

The server does not support CORS? Or,
The server denies the access?

If the server does not support CORS, it seems obvious that the header will be missing.

But if it does support CORS, does it mean the access is denied?

And conversely, what should a server which implements CORS do to announce to the client that the access is denied because of CORS? Should it respond with a status like 403 Forbidden?

Every source I found explains which headers are added to allow a cross-domain access but does not explain what to do to deny an access.

** Edit: wrongly asked question, my bad, see explanation below**

The focus of my question seems off-topic compared to what I expected. Indeed an answer is focused on the server configuration but what was interesting to me was the protocol over HTTP.

To be more accurate, I came up with the question because I tried to access a server with a cross request and :

The server was not including the CORS headers while my XMLHttpRequest was including them
the browser did accept cross requests done by an swf media
I checked the referrer of the media and its an iframe was indeed different than the target of the requests
I did not even know if the server implemented CORS or not
I do not own the server

My low level of comprehension of CORS inside HTTP and the fact a kind of cross requests were accepted, lead me to wonder if the server was rejecting my requests and what I was doing wrong.

I shall post an answer since I believe I solved it since then.

http

Link-akro

Posted 2016-01-26T09:14:54.450

Reputation: 63

Answers

Cross domain access is denied by default, while it is considered security risk. To deny access you need to remove configuration which allows cross domain calls.

Fresh install of web server do not allow CORS out of the box, at least for IIS, which I have used recently.

Check how to (un)configure different web servers to (deny)allow CORS: http://enable-cors.org/server.html

mimo

Posted 2016-01-26T09:14:54.450

Reputation: 166

Please quote the essential parts of the answer from the reference link(s), as the answer can become invalid if the linked page(s) change. – DavidPostill – 2016-02-15T23:42:30.887

The answer doesn't contain any specific configuration from referenced link, therefore it does not depemend on the page content. – mimo – 2016-02-17T14:33:24.293

This answer solves the original question and a little more about servers so i keep it checked as solution even though the question were updated to state its inconsistency toward the idea behind it in the author's (my) head. – Link-akro – 2016-02-24T22:01:45.850

As @mimo said,

Cross domain access is denied by default

then there is nothing to do to disable CORS. It answers the original question well.

As the edit explains, i was confused partly because a SWF object somewhere was doing cross domain while XMLHttpRequest from this same domain were rejected. Solution : SWF is not bound to XHR policies (SOP (same origin) or CORS). That means there was no problem at all in the experiment which made me come ask the question : the server did not implemented CORS and the media on the page was not using it either while XHR was using CORS and was failing.

Link-akro

Posted 2016-01-26T09:14:54.450

Reputation: 63