CORS

From IndieWeb
Jump to: navigation, search


CORS is an acronym for "cross-origin resource sharing," a mechanism for allowing browsers to make JavaScript requests to fetch resources from other domains.

How

Use amongst others the Access-Control-Allow-Origin and Origin HTTP headers. See eg. Wikipedia and Mozilla Developer Network for more information until an example is added here.

History

Before CORS people often used JSONP-requests to enable requests to other sites, but that required loading the data through an HTML-tag and for it to be wrapped in a JavaScript callback. That required JSONP-specific resources to be created, made it hard to utilize the strengths of the HTTP protocol and eg. do proper error management on HTTP error codes and also posed a security risk due to the fact that JavaScript from sites that were not always trusted had to be run for JSONP to work. Since CORS enables ordinary HTTP requests to be allowed, CORS doesn't suffer from these issues.

Issues

  • Session cookies: If you have a dynamic site where some resources are either only made available for people with a session cookie or which contains personal information for them on an otherwise public site, then making that resource fetchable by other sites through CORS will make it possible for other sites to identify logged in users without them knowing it. One should therefore take extra care of which pages one allows to be fetched from other domains if one are using session cookies on the site. Other authorization mechanisms, like OAuth, where one has to explicitly send the user information with the request is preferable when paired with CORS.

See Also