Cross-source resource sharing ( CORS ) is a mechanism that allows limited resources (eg fonts) on a web page to be requested from other domains outside the domain from which the first source power is presented. Web pages can easily embed original drawings, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, especially Ajax requests, are prohibited by default by the same originality security policy.
CORS defines the way in which browsers and servers can interact to determine whether or not it is safe to allow cross-origin requests. This allows for more freedom and functionality than requests that are both authentic, but safer than allowing only cross-origin requests. The specification for CORS was originally published as a W3C Recommendation but the document is outdated. The current preserved active specification that defines CORS is the Fetch Live Standard.
Video Cross-origin resource sharing
How CORS works
The CORS standard describes a new HTTP header that provides browsers and servers a way to request a remote URL only when they have permissions. While some validation and authorization may be performed by the server, it is generally the browser's responsibility to support this header and to respect the restrictions they apply.
For Ajax and HTTP request methods that can modify the data (usually an HTTP method other than GET, or for POST use with certain MIME types), the specification requires the browser to "select" a request, request a supported method from the server with the HTT request OPTIONS method, and then , after the "approval" of the server, sends the actual request with the actual HTTP request method. The server can also notify the client whether "credentials" (including Cookies and HTTP Authentication data) should be sent with the request.
Maps Cross-origin resource sharing
Contoh sederhana
This is generally not appropriate when using the same origin security policy. When a CORS-compatible browser tries to make cross-origin request:
- The browser sends an OPTION request with the
Origin
HTTP header. This header value is the domain that serves the parent page. When a page from http://www.example.com tries to access user data at service.example.com, the following request header will be sent to service.example.com:Origin: http://www.example.com
- The server at service.example.com can respond with:
- Header
Access-Control-Allow-Origin
(ACAO) in its response indicating the authorized home site. As an example:Access-Control-Allow-Origin: http://www.example.com
- Error page if server does not allow cross-border requests
- Header
Access-Control-Allow-Origin
(ACAO) with a wildcard that allows all domains:Access-Control-Allow-Origin: *
- Header
The wildcard origin policy is appropriate when a page or API response is considered to be completely public content intended to be accessible to everyone, including any code on any site. For example, web fonts are available for free in public hosting services like Google Fonts.
The wildcard's wildlife policy is also widely and appropriately used in object-capability models, where pages have URLs that can be fixed and are meant to be accessible to anyone who knows the secret.
The value of "*" is special because it does not allow requests to grant credentials, which means it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in cross-domain requests.
Note that in the CORS architecture, the ACAO header is set by an external web service ( service.example.com ), not the original web app server ( www.example.com ). CORS allows external web services to authorize web applications to use its services and does not control external services accessed by web applications. For the latter, the Content Security Policy must be used ( connect-src
directive).
Sample preflight
When performing certain cross-domain Ajax request types, modern browsers that support CORS will enter an extra "preflight" request to determine if they have permission to perform the action.
OPTIONS/ Host: service.example.com Origin: http://www.example.com
If service.example.com is willing to accept such action, the service may respond with the following headings:
Access-Control-Allow-Origin: http://www.example.com Access-Control-Allow-Methods: PUT, DELETE
Header
Header HTTP yang berhubungan dengan CORS adalah
Meminta tajuk
- Asal
- Metode Kontrol-Permintaan-Akses
- Header Kontrol-Permintaan-Akses
Header tanggapan
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Akses-Kontrol-Expose-Header
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
Dukungan browser
CORS is supported by all browsers based on the following machine layout:
- Blink- and Chromium-based browsers (Chrome 28, Opera 15, Amazon Silk, 4.4 WebView and Qt WebEngine Android)
- Gecko 1.9.1 (Firefox 3.5, SeaMonkey 2.0) and above.
- MSHTML/Trident 6.0 (Internet Explorer 10) has native support. MSHTML/Trident 4.0 & amp; 5.0 (Internet Explorer 8 & 9) provides partial support through the XDomainRequest object.
- The Presto-based browser (Opera) implements CORS on Opera 12.00 and Opera Mobile 12, but not Opera Mini.
- WebKit (Initial revision is uncertain, Safari 4 and above, Google Chrome 3 and above, probably earlier).
- Microsoft Edge All versions.
History
Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1 to allow for safe cross-browser data requests by the VoiceXML browser. The mechanism is considered to be general and not specific to VoiceXML and subsequently separated into a NOTE implementation. The WebApps Working Group of the W3C with participation from major browser vendors began formalizing the NOTE into the W3C Working Draft on the path to the official W3C Recommendation status.
In May 2006, the first W3C Draft was submitted. In March 2009 the draft was renamed "Cross-Origin Resource Sharing" and in January 2014 was accepted as a W3C Recommendation.
CORS vs JSONP
CORS can be used as a modern alternative to JSONP patterns. While JSONP only supports GET request methods, CORS also supports other types of HTTP requests. Using CORS allows web programmers to use the regular XMLHttpRequest, which supports better error handling than JSONP. On the other hand, JSONP works on older browsers that precede CORS support. CORS is supported by most modern web browsers. Additionally, while JSONP can cause cross-site scripting (XSS) issues when external sites are compromised, CORS allows the website to sort responses manually to ensure security.
See also
- Content Safety Policy
- Cross-document messaging
- JSONP
References
External links
- Fetch Living Standard (current specification for CORS)
- MDN HTTP access control (CORS) article
- CORS settings in Apache with the correct response header allow everything through
- Detailed information on how to enable CORS support on various (web) servers
- HTML5 Rocks describes how CORS works in detail
- W3C CORS for Developers guides
- Test your browser for CORS support
- Detailed information on how to handle some common CORS issues, including:
- How to avoid CORS preflight
- How to fix "Access-Control-Allow-Origin header should not be a wildcard" problem
- How to use CORS proxy to get around "No Access-Control-Allow-Origin header is present at the requested resource" problem
- How to disable CORS in Webkit-based browsers for maximum security and privacy
Source of the article : Wikipedia