CORS – Is it a client-side thing, a server-side thing, or a transport level thing? [duplicate]

by

The server is responsible for reporting the allowed origins. The web browser is responsible for enforcing that requests are only sent from allowed domains.

CORS is applied to requests when an Origin header is included in the request. This includes requests made from JavaScript and POST requests. It’s not applied all resources. The origin is the protocol, host and port that is making the request. Requests made by JavaScript use the origin that loaded the JavaScript, not the origin that it was loaded from.

When CORS is not enabled a browser will rely on the same origin policy. The same origin policy is only applied to scripts. The browser will only allow scripts to be loaded from same origin as the loaded page. The same origin policy is assumed when not origins are explicitly allowed.

An HTTP client other than a browser won’t use either the same origin policy or CORS. Requests made from these other HTTP clients don’t have an origin. Unless the Postman desktop app emulates a browser it will be able to make requests to any URL.

CORS and the same origin policy are needed because a browser does not implicitly trust the websites it visits to make requests to other websites. They don’t protect the origin site, they protect the site receiving the cross origin requests. This is why the allowed origins are up to the targeted server.

Without these policies a simple script that repeatedly loads a website could be distributed by ad networks or script injection and then any browser loading the script would contribute to a denial of service attack on the website. With CORS and the same origin policy a browser will limit the impact of this script.

Another important protection CORS provides is to protect against Cross-site request forgery. It prevents a site from making some types of requests to another site. These requests would be made using any previously created tokens, such as session tokens.

CORS by example:

A web browser loads a page from www.example.com. The page includes a script that makes a request to www.example.org. The origin of the request is www.example.com. The browser either makes the request or sends an OPTIONS request first (the preflight request). When the server at www.example.org receives a request from an origin other than www.example.org it responds with a response header Access-Control-Allow-Origin which tells the browser the origins allowed to make requests. It may also respond with other headers like Access-Control-Allow-Methods and Access-Control-Allow-Headers that can restrict the types of allowed requests. When the browser is told what origins are allowed it will block future requests from disallowed origins.

More Related Contents:

  1. How does Access-Control-Allow-Origin header work?
  2. “Cross origin requests are only supported for HTTP.” error when loading a local file
  3. How to enable CORS in AngularJs
  4. Trying to use fetch and pass in mode: no-cors
  5. Origin null is not allowed by Access-Control-Allow-Origin
  6. Response to preflight request doesn’t pass access control check
  7. CORS Error: “requests are only supported for protocol schemes: http…” etc
  8. Handle response – SyntaxError: Unexpected end of input when using mode: ‘no-cors’
  9. Error when accessing API with fetch while setting mode to ‘no-cors’ [duplicate]
  10. Cross-Origin Read Blocking (CORB)
  11. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  12. How do CORS and Access-Control-Allow-Headers work?
  13. Catching an Access-Control-Allow-Origin error in JavaScript
  14. Is CORS a secure way to do cross-domain AJAX requests?
  15. fetch() unexpected end of input
  16. ‘Access-Control-Allow-Origin’ issue when API call made from React (Isomorphic app)
  17. Cannot access cssRules from local css file in Chrome 64
  18. Javascript – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  19. Uncaught (in promise) TypeError: Failed to fetch and Cors error
  20. Cross-origin resource sharing (CORS) concept
  21. CORS cookie credentials from mobile WebView loaded locally with file://
  22. CORS not working on Chrome
  23. Javascript module not working in browser?
  24. CORS: credentials mode is ‘include’
  25. AngularJS CORS Issues
  26. CORS error for application running from file:// scheme
  27. Cannot load Deezer API resources from localhost with the Fetch API
  28. How does the ‘Access-Control-Allow-Origin’ header work?
  29. CSRF protection with CORS Origin header vs. CSRF token
  30. Empty body in fetch POST request

Leave a Comment