Saturday, February 20, 2016

CORS for security

What is it? 

Cross-Origin Resource Sharing is a W3C spec that allows resource sharing across domains. Some resources are allowed to come from any domain, but web fonts and AJAX requests are limited to accessing the same domain as the parent web page. This presents a problem if an AJAX request from www.example1.com wants to request a resource from www.example2.com. In order to fulfill that request a CORS security header will have to be added to the response.

Why? 

All modern browsers implement the same-origin policy as a preventative measure to keep attackers from redirecting users to malicious websites. This is a bit unfortunate for development teams implementing APIs to be used across distributed environments. It can be perfectly valid for an API to serve AJAX requests to multiple domains. This is why the CORS spec was introduced and is necessary for teams with environments spanning multiple domains.

How to use it? 

To successfully serve a cross-origin request the server side must specify the Access-Control-Allow-Origin and Access-Control-Allow-Methods headers. The Allow-Origin header specifics the domains allowed to access the resource and the Allow-Methods specifies the HTTP methods allowed (GET, PUT, etc). To specify all origins allowed the Allow-Origin header could just specify '*'.

8 comments:

  1. This article has some vast and valuable information about this subject.
    san francisco social media agency

    ReplyDelete
  2. Their quality deliverables set them up for potential future engagement.
    website and logo design company

    ReplyDelete
  3. I would highly recommend him and may maintain looking to him with regard to search engine optimization support.
    Bay Area web design firms

    ReplyDelete
  4. You guys present there are performing an excellent job.
    branding consultancy

    ReplyDelete
  5. This short article posted only at the web site is truly good.
    Bay Area design firms

    ReplyDelete
  6. I hope you will share such type of impressive contents again with us so that we can utilize it and get more advantage.
    user experience design agency

    ReplyDelete
  7. Thanks for letting us know about it, these information are really awesome. You can also check out whatsapp lite apk it will provide you complete apk file with unlock features.

    ReplyDelete