@@ -177,7 +177,15 @@ This is why we have chosen a more convoluted-looking directory structure instead
### Couldn't we have done this entirely on the client?
<!-- TODO: CORS, maybe link LiveOverflow -->
You might have noticed that we just asserted we had to make the requests to the Fachschaft services using server side code. However, isn't it possible to send requests in plain, client-side JavaScript? After all, we need to send a request to the API. So couldn't we have implemented the status website as entirely static, with only client-side code?
Yes, almost.
The problem is that due to the Same-Origin-Policy, client-side JavaScript cannot access responses to requests it sends to different origins (i.e. websites). So the browser will not permit JavaScript running under https://status.fsco.li to get responses from e.g. https://fachschaft.cl.uni-heidelberg.de.
Why does this policy exist? Good question. The main reason is to protect against a security hole that is only there for historical reasons (but it is there). The policy could have been avoided if the web was designed differently, but sadly it wasn't, so we have to deal with that.
*[The Same Origin Policy - Hacker History (video)](https://www.youtube.com/watch?v=bSJm8-zJTzQ)
