What is it

Stands for Cross Origin Resource Sharing

Restricts how a document or script loaded by one origin can interact with a resource from another origin

Isolates malicious documents, reducing attack vectors

By default, CORS is disabled and this prevents all other origins from loading document or script

CORS lifts the restriction
- Hence, CORS should be enabled for the localhost when in local development

What is it not

`CORS` doesn't work on server requests

Server environments do NOT enforce CORS so they can bypass CORS restrictions.

curl can easily spoof CORS by declaring origin url:

curl -H "Origin: example.com" www.yourweb.com"

CORS is NOT a valid mechanism of protecting against server-to-server requests

`Origin`

Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it.

All three needs to be identical to be considered a same origin

also referenced as the scheme/host/port tuple

# same origin
http://example.com/app1/index.html
http://example.com/app2/index.html

`Access-Control-Allow-Origin`

Access-Control-Allow-Origin header determines whether or not the resource can be accessed by content operating within the current origin.

`*` wildcard

* (any site) wildcard should only be allowed for public APIs.

Private APIs should never use *, and should instead have a specific domain or domains set.

The wildcard only works for requests made with the crossorigin attribute set to anonymous, and it prevents sending credentials like cookies in requests

CORS

What is it

What is it not

CORS doesn't work on server requests

Origin

Access-Control-Allow-Origin

* wildcard

`CORS` doesn't work on server requests

`Origin`

`Access-Control-Allow-Origin`

`*` wildcard