Cross-origin resource sharing

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Cross-origin resource sharing (CORS) is a mechanism that allows many resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain the resource originated from.[1] In particular, JavaScript's AJAX calls can use the XMLHttpRequest mechanism. Such "cross-domain" requests would otherwise be forbidden by web browsers, per the same origin security policy. CORS defines a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request.[2] It is more useful than only allowing same-origin requests, but it is more secure than simply allowing all such cross-origin requests.

How CORS works[edit]

The CORS standard works by adding new HTTP headers which allow servers to serve resources to permitted origin domains. Browsers support these headers and respect the restrictions they establish. Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers “preflight” the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon “approval” from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether “credentials” (including Cookies and HTTP Authentication data) should be sent with requests.[3]

Simplified example[edit]

To initiate a cross-origin request, a browser sends the request with an Origin HTTP header. The value of this header is the domain that served the page. For example, suppose a page from http://www.example-social-network.com attempts to access a user's data in online-personal-calendar.com. If the user's browser implements CORS, the following request header would be sent to online-personal-calendar.com:

 Origin: http://www.example-social-network.com

If online-personal-calendar.com allows the request, it sends an Access-Control-Allow-Origin (ACAO) header in its response. The value of the header indicates what origin sites are allowed. For example, a response to the previous request could contain the following:

 Access-Control-Allow-Origin: http://www.example-social-network.com

If the server does not allow the cross-origin request, the browser will deliver an error to example-social-network.com page instead of the online-personal-calendar.com response.

To allow access from all domains, a server can send the following response header:

 Access-Control-Allow-Origin: *

This is generally not appropriate. The only case where this is appropriate is when a page or API response is considered completely public content and it is intended to be accessible to everyone, including any code on any site.

The value of "*" is special in that it does not allow requests to supply credentials, meaning HTTP authentication, client-side SSL certificates, nor does it allow cookies to be sent.[4]

Note that in the CORS architecture, the ACAO header is being set by the external web service (online-personal-calendar.com), not the original web application server (example-social-network.com). CORS allows the external web service to authorise the web application to use its services and does not control external services accessed by the web application. For the latter, Content Security Policy should be used (connect-src directive).

Browser support[edit]

CORS is supported by all browsers based on the following layout engines:

  • Gecko 1.9.1 (Firefox 3.5,[5] SeaMonkey 2.0,[6] Camino 2.1 [7]) and above.
  • WebKit (Initial revision uncertain, Safari 4 and above,[1] Google Chrome 3 and above, possibly earlier)[8]
  • MSHTML/Trident 6.0 (Internet Explorer 10) has native support.[9] MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provides partial support via the XDomainRequest object.[1]
  • Presto-based browsers (Opera) implement CORS as of Opera 12.00[10] and Opera Mobile 12, but not Opera Mini.[11]

The following browsers are also noteworthy in their lack of CORS support:

  • Camino does not implement CORS in the 2.0.x release series because these versions are based on Gecko 1.9.0.[12]
  • As of version 0.10.2, Arora exposes WebKit's CORS-related APIs, but attempted cross-origin requests will fail.[13]

History[edit]

Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1[14] to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.[15] The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal W3C Recommendation status.

CORS relationship to JSONP[edit]

CORS can be used as a modern alternative to the JSONP pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. Using CORS enables a web programmer to use regular XMLHttpRequest, which supports better error handling than JSONP. On the other hand, JSONP works on legacy browsers which predate CORS support. CORS is supported by most modern web browsers. Also, while JSONP can cause cross-site scripting (XSS) issues where the external site is compromised, CORS allows websites to manually parse responses to ensure security.[2][16]

See also[edit]

References[edit]

  1. ^ a b c on July 6, 2009 by Arun Ranganathan (2009-07-06). "cross-site xmlhttprequest with CORS ✩ Mozilla Hacks – the Web developer blog". Hacks.mozilla.org. Retrieved 2012-07-05. 
  2. ^ a b "Cross-domain Ajax with Cross-Origin Resource Sharing". NCZOnline. Retrieved 2012-07-05. 
  3. ^ "cross-site xmlhttprequest with CORS". MOZILLA. Retrieved 2012-09-05. 
  4. ^ Cross-Origin Resource Sharing. W3.org. Retrieved on 2014-04-12.
  5. ^ "HTTP access control (CORS) - MDN". Developer.mozilla.org. Retrieved 2012-07-05. 
  6. ^ "Gecko - MDN". Developer.mozilla.org. 2012-06-08. Retrieved 2012-07-05. 
  7. ^ "What makes Camino Special". Retrieved 2013-02-20. 
  8. ^ "59940: Apple Safari WebKit Cross-Origin Resource Sharing Bypass". Osvdb.org. Retrieved 2012-07-05. 
  9. ^ Tony Ross, Program Manager, Internet Explorer (2012-02-09). "CORS for XHR in IE10". MSDN. Retrieved 2012-12-14. 
  10. ^ David Honneffer, Documentation Specialist (2012-06-14). "12.00 for UNIX Changelog". Opera. Retrieved 2012-07-05. 
  11. ^ David Honneffer, Documentation Specialist (2012-04-23). "Opera Software: Web specifications support in Opera Presto 2.10". Opera.com. Retrieved 2012-07-05. 
  12. ^ "HTTP Access Control in Camino • mozillaZine Forums". Forums-test.mozillazine.org. Retrieved 2012-07-05. 
  13. ^ "Issue 904 - arora - Arora providing API for CORS (Cross-Origin Resource Sharing) but fails in actual use - Cross Platform WebKit Browser - Google Project Hosting". Code.google.com. 2010-09-04. Retrieved 2012-07-05. 
  14. ^ "Voice Extensible Markup Language (VoiceXML) 2.1". W3.org. 2004-03-23. Retrieved 2012-07-05. 
  15. ^ "Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0". W3.org. Retrieved 2012-07-05. 
  16. ^ "When can I use... Cross Origin Resource Sharing". caniuse.com. Retrieved 2012-07-12. 

External links[edit]