Why is Access-Control-Expose-Headers needed?

CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world. In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers. In order to ensure that CORS doesn’t break this assumption, the … Read more

Why are CORS requests failing in Microsoft Edge but working in other browsers?

I’ll include below, verbatim, the answers that Eric Lawrence (creator of Fiddler) kindly provided on the Fiddler forum: One possibility is that your computer is configured with an Intranet zone and that Intranet zone is dependent on a proxy configuration script: http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx. When Fiddler is running, the proxy settings are pointed at Fiddler itself. … … Read more

How to apply CORS preflight cache to an entire domain

Preflight can only be applied to the request, not to the entire domain. I brought the same question up on the mailing list, and there were security concerns. Here’s the entire thread: http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0228.html There are a few things to consider if you’d like to limit the number of preflight requests. First note that WebKit-based browsers … Read more

same-origin policy and CORS – what’s the point?

The important thing to note here is that if the user is signed in to a site http://example.com/ and the request http://example.com/delete?id=1 deletes a post by the user, then the following code will delete the user’s post: <script src=”http://example.com/delete?id=1″ /> This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web … Read more

Adding Access-Control-Allow-Origin header response in Laravel 5.3 Passport

The simple answer is to set the Access-Control-Allow-Origin header to localhost or *. Here’s how I usually do it: Create a simple middleware called Cors: php artisan make:middleware Cors Add the following code to app/Http/Middleware/Cors.php: public function handle($request, Closure $next) { return $next($request) ->header(‘Access-Control-Allow-Origin’, ‘*’) ->header(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’); } You can replace … Read more