Monday, April 27, 2015

Cross Origin Resource Sharing (CORS)

Cross Origin Resource Sharing (CORS) is a W3C standard that allows a server to relax the same-origin policy. Using CORS, a server can explicitly allow some cross-origin requests while rejecting others. CORS is safer and more flexible than earlier techniques such as JSONP.

he general mechanics of CORS are such that when JavaScript is attempting to make a cross-origin AJAX call the browser will “ask” the server if this is allowed by sending headers in the HTTP request (for example, Origin). The server indicates what’s allowed by returning HTTP headers in the response (for example, Access-Control-Allow-Origin). This permission check is done for each distinct URL the client invokes, which means different URLs can have different permissions.

In addition to the origin, CORS lets a server indicate which HTTP methods are allowed, which HTTP request headers a client can send, which HTTP response headers a client can read, and if the browser is allowed to automatically send or receive credentials (cookies or authorization headers). Additional request and response headers indicate which of these features are allowed.

Permission/Feature Request Header Response Header
Origin Origin Access-Control-Allow-Origin
Http Method Access-Control-Request-Method Access-Control-Allow-Method
Request Headers
Response Headers
Access-Control-Request-Headers Access-Control-Allow-Headers
Access-Control-Expose-Headers
Credentials   Access-Control-Allow-Credentials
Cache preflight Response   Access-Control-Max-Age

Technorati Tags: ,

No comments:

Post a Comment