Cross-origin resource sharing

Cross-Origin Resource Sharing ( CORS ) is a mechanism that enables web browsers or other web clients to make cross-origin requests . Access of this kind is normally prohibited by the same-origin policy (SOP). CORS is a compromise in favor of greater flexibility on the Internet, taking into account the highest possible security measures.

functionality

The restrictions imposed by the SOP can be lifted for certain clients by the particular server that is requested.

So that the request of a script on a website, e.g. B. http://foo.example, to a server of a different domain , e.g. B. http://bar.examplecan be carried out successfully, the referenced server must allow access through the appropriate HTTP header in its response . Sends bar.examplethe header listed below Access-Control-Allow-Origin, so it allows the server foo.exampleaccess to resources that bar.exampleare stored on it ( ). A cross-origin request can thus be carried out successfully. Access to other servers is still not carried out successfully due to the SOP .

HTTP header set by the server bar.example(example):

Access-Control-Allow-Origin: http://foo.example

Additional Access-Control-*headers can additionally restrict the access behavior and thus increase security in order to protect the server from unauthorized requests.

CORS resource that can only be reached via the HTTP GET method:

Access-Control-Allow-Methods: GET

Browser support

CORS is supported by the following rendering engines:

• Gecko 1.9.1+ ( Mozilla Firefox 3.5+, SeaMonkey 2.0+).
• WebKit ( Apple Safari 4+, Google Chrome 3+)
• MSHTML / Trident 4.0+ ( Internet Explorer 10+, Internet Explorer 8, and 9 have partial support through the XDomainRequest object.)
• Presto 2.10.232+ ( Opera 12+)

CORS vs. JSONP

CORS can be used as an alternative to JSONP . While JSONP only supports GET requests, CORS also offers support for other HTTP requests. With the use of CORS it is possible for web developers to use normal XMLHttpRequests or the JavaScript Fetch API, which offer better error handling than JSONP. On the other hand, JSONP is also supported by browsers that do not have CORS support.

Individual evidence

1. ↑ Working template of the W3C , as of January 16, 2014 (English)
2. ↑ Cross-Origin Resource Sharing (CORS). In: Mozilla Developer Network. Retrieved June 5, 2018 . 
3. ↑ Gecko. In: Mozilla Developer Network. Retrieved June 2, 2015 . 
4. ↑ ^{a b} cross-site xmlhttprequest with CORS. In: Mozilla Hacks - the Web developer blog. Retrieved June 2, 2015 . 
5. ↑ Archived copy ( Memento of the original from July 19, 2012 in the web archive archive.today ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / osvdb.org
6. ↑ MSDN Blogs. In: blogs.msdn.com. Retrieved June 2, 2015 . 
7. ↑ Opera Software: Web specifications support in Opera Presto 2.10. Retrieved June 2, 2015 . 
8. ↑ Dev.Opera - Hello Opera 12! In: dev.opera.com. Retrieved June 2, 2015 . 

Web links

• Enable CORS (English)
• Mozilla Developer Network - User Guide with Application Examples
• MSDN XDomainRequest Object - Description of the object (English)
• CORS associated with CDNs (English)