Setting it to * will prevent the browser from including credentials in the request (cookies). Dynamically setting it to the origin of the requesting client effectively does the same but also allows for using credentials.
data0
joined 1 year ago
The Access-Control-Allow-Origin is meant to be set on the server side and is part of a mechanism called CORS. MDN has a good guide on CORS (It might seem too long and complex to read if you just want to access some data on an API, but knowing how it works is essential if you plan to work with HTTP-based APIs.)
In short, lemmy.ml (and probably most other Lemmy instances) doesn't seem to allow API access from within a browser. You'll have to build a Node.js proxy (with lemmy-js-client) and use that to connect the browser to.
What are the exact attack vectors you're thinking of?