Cross-origin resource sharing explained

Cross-origin resource sharing (CORS) is a mechanism that allows a web page to access restricted resources from a server on a domain different than the domain that served the web page.

A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.[1] It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests.

The specification for CORS is included as part of the WHATWG's Fetch Living Standard.[2] This specification describes how CORS is currently implemented in browsers.[3] An earlier specification was published as a W3C Recommendation.[4]

Technical overview

For HTTP requests made from JavaScript that can't be made by using a <form> tag pointing to another domain or containing non-safelisted headers, the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.[5]

Simple request example

Suppose a user visits http://www.example.com and the page attempts a cross-origin request to fetch data from http://service.example.com. A CORS-compatible browser will attempt to make a cross-origin request to service.example.com as follows.

  1. The browser sends the GET request with an extra Origin HTTP header to service.example.com containing the domain that served the parent page:
<nowiki>Origin: http://www.example.com</nowiki>
  1. The server at service.example.com sends one of these three responses:
    • The requested data along with an Access-Control-Allow-Origin (ACAO) header in its response indicating the requests from the origin are allowed. For example in this case it should be:
<nowiki>Access-Control-Allow-Origin: http://www.example.com</nowiki>
    • The requested data along with an Access-Control-Allow-Origin (ACAO) header with a wildcard indicating that the requests from all domains are allowed:
Access-Control-Allow-Origin: *
    • An error page if the server does not allow a cross-origin request[6]

A wildcard same-origin policy is appropriate when a page or API response is intended to be accessible to any code on any site. A freely available web font on a public hosting service like Google Fonts is an example.

A wildcard same-origin policy is also widely and appropriately used in the object-capability model, where pages have unguessable URLs and are meant to be accessible to anyone who knows the secret.

The value of "*" is special in that it does not allow requests to supply credentials, meaning that it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request.[7]

Note that in the CORS architecture, the Access-Control-Allow-Origin header is being set by the external web service (service.example.com), not the original web application server (www.example.com). Here, service.example.com uses CORS to permit the browser to authorize www.example.com to make requests to service.example.com.

If a site specifies the header "Access-Control-Allow-Credentials:true", third-party sites may be able to carry out privileged actions and retrieve sensitive information.

Preflight example

When performing certain types of cross-domain Ajax requests, modern browsers that support CORS will initiate an extra "preflight" request to determine whether they have permission to perform the action. Cross-origin requests are preflighted this way because they may have implications to user data.

OPTIONS /
Host: service.example.com
Origin: http://www.example.com
Access-Control-Request-Method: PUT

If service.example.com is willing to accept the action, it may respond with the following headers:

Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT

The browser will then make the actual request. If service.example.com does not accept cross-site requests from this origin then it will respond with error to the OPTIONS request and the browser will not make the actual request.

Headers

The HTTP headers that relate to CORS are:

Request headers

Response headers

Browser support

CORS is supported by all browsers based on the following layout engines:

History

Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1[19] to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.[20] The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal W3C Recommendation status.

In May 2006 the first W3C Working Draft was submitted.[21] In March 2009 the draft was renamed to "Cross-Origin Resource Sharing"[22] and in January 2014 it was accepted as a W3C Recommendation.[23]

CORS vs JSONP

CORS can be used as a modern alternative to the JSONP pattern. The benefits of CORS are:

The main advantage of JSONP was its ability to work on legacy browsers which predate CORS support (Opera Mini and Internet Explorer 9 and earlier). CORS is now supported by most modern web browsers.[24]

See also

External links

Notes and References

  1. Web site: Cross-domain Ajax with Cross-Origin Resource Sharing . 25 May 2010 . NCZOnline . 2012-07-05.
  2. Web site: Fetch Living Standard.
  3. Web site: WebAppSec Working Group Minutes.
  4. Web site: Cross-Origin Resource Sharing.
  5. Web site: Cross-Origin Resource Sharing (CORS) - HTTP MDN . developer.mozilla.org . 7 June 2023 . 10 May 2023.
  6. Web site: 2023-05-10 . CORS errors - HTTP MDN . 2023-07-04 . developer.mozilla.org . en-US.
  7. https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
  8. Web site: Blink . April 2013 . QuirksBlog . 4 April 2013.
  9. News: Google going its own way, forking WebKit rendering engine . Ars Technica . April 2013 . 4 April 2013.
  10. Web site: HTTP access control (CORS) - MDN . Developer.mozilla.org . 2012-07-05 . https://web.archive.org/web/20100527153021/https://developer.mozilla.org/En/HTTP_access_control . 2010-05-27 . dead .
  11. Web site: Gecko - MDN . Developer.mozilla.org . 2012-06-08 . 2012-07-05 . 2012-08-03 . https://web.archive.org/web/20120803092112/https://developer.mozilla.org/en/Gecko . dead .
  12. Web site: Tony Ross . Program Manager . Internet Explorer . CORS for XHR in IE10 . MSDN . 2012-02-09 . 2012-12-14.
  13. Web site: cross-site xmlhttprequest with CORS . MOZILLA . 2012-09-05.
  14. Web site: David Honneffer, Documentation Specialist . 12.00 for UNIX Changelog . Opera . 2012-06-14 . 2012-07-05 . https://web.archive.org/web/20120618170555/http://www.opera.com/docs/changelogs/unix/1200/ . 2012-06-18 . dead .
  15. Web site: David Honneffer, Documentation Specialist . Opera Software: Web specifications support in Opera Presto 2.10 . Opera.com . 2012-04-23 . 2012-07-05.
  16. Web site: on July 6, 2009 by Arun Ranganathan . cross-site xmlhttprequest with CORS ✩ Mozilla Hacks – the Web developer blog . Hacks.mozilla.org . 2009-07-06 . 2012-07-05.
  17. Web site: 59940: Apple Safari WebKit Cross-Origin Resource Sharing Bypass . https://archive.today/20120719142244/http://osvdb.org/59940 . dead . 2012-07-19 . Osvdb.org . 2012-07-05 .
  18. Web site: Microsoft Edge deverloper's guide. 21 December 2023 .
  19. Web site: Voice Extensible Markup Language (VoiceXML) 2.1 . W3.org . 2004-03-23 . 2012-07-05.
  20. Web site: Authorizing Read Access to XML Content Using the Processing Instruction 1.0 . W3.org . 2012-07-05.
  21. Web site: Authorizing Read Access to XML Content Using the Processing Instruction 1.0 W3C - Working Draft 17 May 2006. W3.org. 17 August 2015.
  22. Web site: Cross-Origin Resource Sharing - W3C Working Draft 17 March 2009. W3.org. 17 August 2015.
  23. Web site: Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014. W3.org. 17 August 2015.
  24. Web site: When can I use... Cross Origin Resource Sharing . caniuse.com . 2012-07-12.