HOME

TheInfoList



Click Here for Items Related To - Cross-Origin Resource Sharing
OR:
Cross-Origin Resource Sharing on:   [Wikipedia]   [Google]   [Amazon]

Cross-origin resource sharing (CORS) is a mechanism that allows restricted
resources Resource refers to all the materials available in our environment which are technologically accessible, economically feasible and culturally sustainable and help us to satisfy our needs and wants. Resources can broadly be classified upon their ...
on a web page to be requested from another
domain Domain may refer to: Mathematics *Domain of a function, the set of input values for which the (total) function is defined ** Domain of definition of a partial function **Natural domain of a partial function **Domain of holomorphy of a function *Do ...
outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts,
iframes An HTML element is a type of HTML (HyperText Markup Language) document component, one of several types of HTML nodes (there are also text nodes, comment nodes and others). The first used version of HTML was written by Tim Berners-Lee in 1993 ...
, and videos. Certain "cross-domain" requests, notably
Ajax Ajax may refer to: Greek mythology and tragedy * Ajax the Great, a Greek mythological hero, son of King Telamon and Periboea * Ajax the Lesser, a Greek mythological hero, son of Oileus, the king of Locris * ''Ajax'' (play), by the ancient Gree ...
requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. The specification for CORS is included as part of the
WHATWG The Web Hypertext Application Technology Working Group (WHATWG) is a community of people interested in evolving HTML and related technologies. The WHATWG was founded by individuals from Apple Inc., the Mozilla Foundation and Opera Software, ...
's Fetch Living Standard. This specification describes how CORS is currently implemented in browsers. An earlier specification was published as a W3C Recommendation.


Technical overview

For Ajax and HTTP request methods that can modify data (usually HTTP methods other than GET, or for POST usage with certain
MIME Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email messages to support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs. Messa ...
types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.


Simple example

Suppose a user visits http://www.example.com and the page attempts a cross-origin request to fetch the user's data from http://service.example.com. A CORS-compatible browser will attempt to make a cross-origin request to service.example.com as follows. # The browser sends the GET request with an extra Origin HTTP header to service.example.com containing the domain that served the parent page:
Origin: http://www.example.com
# The server at service.example.com sends one of these three responses: #* The requested data along with an Access-Control-Allow-Origin (ACAO) header in its response indicating the requests from the origin are allowed. For example in this case it should be: 
Access-Control-Allow-Origin: http://www.example.com
#* The requested data along with an Access-Control-Allow-Origin (ACAO) header with a wildcard indicating that the requests from all domains are allowed: 
Access-Control-Allow-Origin: *
#* An error page if the server does not allow a cross-origin request A wildcard same-origin policy is appropriate when a page or API response is considered completely public content and it is intended to be accessible to everyone, including any code on any site. A freely available web font on a public hosting service like
Google Fonts Google Fonts (formerly known as Google Web Fonts) is a computer font and web font service owned by Google. This includes free and open source font families, an interactive web directory for browsing the library, and APIs for using the fonts via ...
is an example. A wildcard same-origin policy is also widely and appropriately used in the
object-capability model The object-capability model is a computer security model. A capability describes a transferable right to perform one (or more) operations on a given object. It can be obtained by the following combination: :* An unforgeable reference (in the sens ...
, where pages have unguessable URLs and are meant to be accessible to anyone who knows the secret. The value of "*" is special in that it does not allow requests to supply credentials, meaning that it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request. Note that in the CORS architecture, the Access-Control-Allow-Origin header is being set by the external web service (''service.example.com''), not the original web application server (''www.example.com''). Here, ''service.example.com'' uses CORS to permit the browser to authorize ''www.example.com'' to make requests to ''service.example.com''. If a site specifies the header "Access-Control-Allow-Credentials:true", third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to bypass any IP-based access controls by proxying through users' browsers.


Preflight example

When performing certain types of cross-domain Ajax requests, modern browsers that support CORS will initiate an extra "preflight" request to determine whether they have permission to perform the action. Cross-origin requests are preflighted this way because they may have implications to user data. 
OPTIONS /
Host: service.example.com
Origin: http://www.example.com
Access-Control-Request-Method: PUT
If service.example.com is willing to accept the action, it may respond with the following headers: 
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT
The browser will then make the actual request. If service.example.com does not accept cross-site requests from this origin then it will respond with error to the OPTIONS request and the browser will not make the actual request.


Headers

The HTTP headers that relate to CORS are:


Request headers

*Origin *Access-Control-Request-Method *Access-Control-Request-Headers


Response headers

*Access-Control-Allow-Origin *Access-Control-Allow-Credentials *Access-Control-Expose-Headers *Access-Control-Max-Age *Access-Control-Allow-Methods *Access-Control-Allow-Headers


Browser support

CORS is supported by all browsers based on the following layout engines: * Blink- and
Chromium Chromium is a chemical element with the symbol Cr and atomic number 24. It is the first element in group 6. It is a steely-grey, lustrous, hard, and brittle transition metal. Chromium metal is valued for its high corrosion resistance and h ...
-based browsers (
Chrome Chrome may refer to: Materials * Chrome plating, a process of surfacing with chromium * Chrome alum, a chemical used in mordanting and photographic film Computing * Google Chrome, a web browser developed by Google ** ChromeOS, a Google Chrome- ...
28+,
Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libre ...
15+, Amazon Silk,
Android Android may refer to: Science and technology * Android (robot), a humanoid robot or synthetic organism designed to imitate a human * Android (operating system), Google's mobile operating system ** Bugdroid, a Google mascot sometimes referred to ...
's 4.4+ WebView and Qt's WebEngine) *
Gecko Geckos are small, mostly carnivorous lizards that have a wide distribution, found on every continent except Antarctica. Belonging to the infraorder Gekkota, geckos are found in warm climates throughout the world. They range from . Geckos ar ...
1.9.1 (Firefox 3.5, SeaMonkey 2.0) and above. * MSHTML/Trident 6.0 (Internet Explorer 10) has native support. MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provide partial support via the XDomainRequest object. *
Presto Presto may refer to: Computing * Presto (browser engine), an engine previously used in the Opera web browser * Presto (operating system), a Linux-based OS by Xandros * Presto (SQL query engine), a distributed query engine * Presto (animation s ...
-based browsers (Opera) implement CORS as of
Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libre ...
12.00 and
Opera Mobile Opera Mobile is a mobile web browser for smartphones, tablets and PDAs developed by Opera. History The first devices to run a mobile edition of Opera were the Psion Series 5, Psion Series 5mx, Psion Series 7, and then Psion netBook. They ...
12, but not Opera Mini. *
WebKit WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as on the iOS and iPadOS version of any web browser. WebKit is also used by the BlackBerry Browser, PlayStation consoles beginning from the ...
(Initial revision uncertain, Safari 4 and above, Google Chrome 3 and above, possibly earlier). *
Microsoft Edge Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...
All versions.


History

Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1 to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE. The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a
W3C Working Draft The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
on track toward formal
W3C Recommendation The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working ...
status. In May 2006 the first W3C Working Draft was submitted. In March 2009 the draft was renamed to "Cross-Origin Resource Sharing" and in January 2014 it was accepted as a W3C Recommendation.


CORS vs JSONP

CORS can be used as a modern alternative to the JSONP pattern. The benefits of CORS are: * While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. * CORS enables a web programmer to use regular XMLHttpRequest, which supports better error handling than JSONP. * While JSONP can cause cross-site scripting (XSS) issues when the external site is compromised, CORS allows websites to manually parse responses to increase security. The main advantage of JSONP was its ability to work on legacy browsers which predate CORS support ( Opera Mini and
Internet Explorer 9 Internet Explorer 9 or IE9 (officially Windows Internet Explorer 9) is a web browser for Windows. It was released by Microsoft on March 14, 2011, as the ninth version of Internet Explorer and the successor to Internet Explorer 8, and can replace p ...
and earlier). CORS is now supported by most modern web browsers.


See also

*
Content Security Policy Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a C ...
*
Cross-document messaging Web Messaging or cross-document messaging, is an API introduced in the WHATWG HTML5 draft specification, allowing documents to communicate with one another across different origins, or source domains while rendered in a web browser. Prior to HTML5, ...


References


External links


Fetch Living Standard
(the current specification for CORS)
MDN ''HTTP access control (CORS)'' article

Setting CORS on Apache with correct response headers allowing everything through


* ttp://www.html5rocks.com/en/tutorials/cors/ ''HTML5 Rocks'' explains how CORS works in detail
W3C ''CORS for Developers'' guide

How to disable CORS on WebKit-based browsers for maximum security and privacy

Online CORS misconfiguration scanner
{{Webarchive, url=https://web.archive.org/web/20200810161738/https://helpertools.app/web-security/view/cors-scanner , date=2020-08-10 Ajax (programming) World Wide Web Consortium standards