Stands for Cross Origin Resource Sharing
Restricts how a document
or script
loaded by one origin
can interact with a resource from another origin
By default, CORS
is disabled and this prevents all other origins from loading document or script
CORS
lifts the restriction
CORS
should be enabled for the localhost
when in local developmentCORS
doesn't work on server requestsServer environments do NOT enforce CORS
so they can bypass CORS
restrictions.
curl
can easily spoof CORS
by declaring origin url:
curl -H "Origin: example.com" www.yourweb.com"
CORS
is NOT a valid mechanism of protecting against server-to-server
requests
Origin
Origin
is defined by the scheme
(protocol), hostname
(domain), and port
of the URL used to access it.
All three needs to be identical to be considered a same origin
scheme/host/port
tuple# same origin http://example.com/app1/index.html http://example.com/app2/index.html
#
Access-Control-Allow-Origin
Access-Control-Allow-Origin
header determines whether or not the resource can be accessed by content operating within the current origin.
*
wildcard*
(any site) wildcard should only be allowed for public APIs.
Private APIs should never use *
, and should instead have a specific domain or domains set.
The wildcard only works for requests made with the crossorigin attribute set to anonymous, and it prevents sending credentials like cookies in requests