Understanding CORS

by

  1. First of all, the cross domain check is performed by the browser, not the server. When the JavaScript makes an XmlHttpRequest to a server other than its origin, if the browser supports CORS it will initialize a CORS process. Or else, the request will result in an error (unless user has deliberately reduced browser security)

  2. When the server encounters Origin HTTP header, server will decide if it is in the list of allowed domains. If it is not in the list, the request will fail (i.e. server will send an error response).

For number 3 and 4, I think you should ask separate questions. Otherwise this question will become too broad. And I think it will quickly get close if you do not remove it.

For an explanation of CORS, please see this answer from programmers: https://softwareengineering.stackexchange.com/a/253043/139479

NOTE: CORS is more of a convention. It does not guarantee security. You can write a malicious browser that disregards the same domain policy. And it will execute JavaScript fetched from any site. You can also create HTTP headers with arbitrary Origin headers, and get information from any third party server that implements CORS. CORS only works if you trust your browser.

More Related Contents:

  1. Can a single Web Domain have multiple passwords? [closed]
  2. Maximum length of HTTP GET request
  3. REST API error return good practices [closed]
  4. Understanding REST: Verbs, error codes, and authentication
  5. Timezone lookup from latitude longitude [closed]
  6. JSON character encoding – is UTF-8 well-supported by browsers or should I use numeric escape sequences?
  7. Secure Web Services: REST over HTTPS vs SOAP + WS-Security. Which is better? [closed]
  8. How to obtain longitude and latitude for a street address programmatically (and legally)
  9. Why would one use REST instead of SOAP based services? [closed]
  10. How can I verify a Google authentication API access token?
  11. CORS cookie credentials from mobile WebView loaded locally with file://
  12. Spring, Jackson and Customization (e.g. CustomDeserializer)
  13. What are REST API error handling best practices? [closed]
  14. What is a web service endpoint?
  15. Load data from Webservice (asmx) to jqgrid. Please help me
  16. Can a WSDL indicate the SOAP version (1.1 or 1.2) of the web service?
  17. Rest vs. Soap. Has REST a better performance?
  18. Why do we need RESTful Web Services?
  19. Log4Net “Could not find schema information” messages
  20. REST web service WSDL? [duplicate]
  21. CXF web service client: “Cannot create a secure XMLInputFactory”
  22. Calling REST web services from a classic asp page
  23. encoding of query string parameters in IE10
  24. Failed to add a service. Service metadata may not be accessible. Make sure your service is running and exposing metadata.`
  25. Generate WSDL for existing SOAP Service using captured traffic
  26. Adding Custom Http Headers to Web Service Proxy
  27. How can I get a Kerberos ticket with Delphi?
  28. Jersey client exception: A message body writer was not found
  29. How to call a web service from Ant script or from within Jenkins?
  30. What is a “web service” in plain English?

Leave a Comment