Cross-origin resource sharing: Difference between revisions
Factually incorrect, many types of requests can be made without CORS - it's getting a response, sending custom headers or credentials being limited. See the "“Simple” Requests using GET or POST" in the previously referenced source or, for modern browsers' behaviour, "Examples of access control scenarios" in MDN |
Tags: Manual revert Reverted |
||
(27 intermediate revisions by 24 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Mechanism to request restricted resources on a web page from another domain}} |
{{Short description|Mechanism to request restricted resources on a web page from another domain}} |
||
{{redirect|CORS}} |
{{redirect-distinguish|CORS|Continuously Operating Reference Station}} |
||
⚫ | |||
⚫ | |||
⚫ | A web page may freely embed cross-origin images, |
||
⚫ | A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably [[Ajax (programming)|Ajax]] requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.<ref name="nczonline1">{{cite web|url=http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/ |title=Cross-domain Ajax with Cross-Origin Resource Sharing |date=25 May 2010 |publisher=NCZOnline |access-date=2012-07-05}}</ref> It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. |
||
⚫ | The specification for CORS is included as part of the |
||
⚫ | The specification for CORS is included as part of the WHATWG's Fetch Living Standard.<ref>{{cite web|url=https://fetch.spec.whatwg.org/|title=Fetch Living Standard}}</ref> This specification describes how CORS is currently implemented in browsers.<ref>{{cite web|url=https://www.w3.org/2017/08/16-webappsec-minutes.html#item03|title=WebAppSec Working Group Minutes}}</ref> An earlier specification was published as a [[World Wide Web Consortium|W3C]] Recommendation.<ref>{{cite web|url=http://www.w3.org/TR/cors/|title=Cross-Origin Resource Sharing}}</ref> |
||
== Technical overview == |
== Technical overview == |
||
Line 11: | Line 12: | ||
[[File:Flowchart_showing_Simple_and_Preflight_XHR.svg|thumb|upright=1.5|Path of an [[XMLHttpRequest]] (XHR) through CORS.]]For HTTP requests made from JavaScript that can't be made by using a <form> tag pointing to another domain or containing non-safelisted headers, the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.<ref name="mdncors">{{cite web |title=Cross-Origin Resource Sharing (CORS) - HTTP {{!}} MDN |url=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS |website=developer.mozilla.org |access-date=7 June 2023 |date=10 May 2023}}</ref> |
[[File:Flowchart_showing_Simple_and_Preflight_XHR.svg|thumb|upright=1.5|Path of an [[XMLHttpRequest]] (XHR) through CORS.]]For HTTP requests made from JavaScript that can't be made by using a <form> tag pointing to another domain or containing non-safelisted headers, the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.<ref name="mdncors">{{cite web |title=Cross-Origin Resource Sharing (CORS) - HTTP {{!}} MDN |url=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS |website=developer.mozilla.org |access-date=7 June 2023 |date=10 May 2023}}</ref> |
||
== Simple example == |
== Simple request example == |
||
⚫ | Suppose a user visits <nowiki>http://www.example.com</nowiki> and the page attempts a cross-origin request to fetch data from <nowiki>http://service.example.com</nowiki>. A CORS-compatible browser will attempt to make a cross-origin request to <nowiki>service.example.com</nowiki> as follows. |
||
⚫ | Suppose a user visits <nowiki>http://www.example.com</nowiki> and the page attempts a cross-origin request to fetch |
||
# The browser sends the GET request with an extra <code>Origin</code> [[HTTP header]] to <nowiki>service.example.com</nowiki> containing the domain that served the parent page:<pre><nowiki>Origin: http://www.example.com</nowiki></pre> |
# The browser sends the GET request with an extra <code>Origin</code> [[HTTP header]] to <nowiki>service.example.com</nowiki> containing the domain that served the parent page:<pre><nowiki>Origin: http://www.example.com</nowiki></pre> |
||
Line 19: | Line 19: | ||
#* The requested data along with an <code>Access-Control-Allow-Origin</code> (ACAO) header in its response indicating the requests from the origin are allowed. For example in this case it should be: <pre><nowiki>Access-Control-Allow-Origin: http://www.example.com</nowiki></pre> |
#* The requested data along with an <code>Access-Control-Allow-Origin</code> (ACAO) header in its response indicating the requests from the origin are allowed. For example in this case it should be: <pre><nowiki>Access-Control-Allow-Origin: http://www.example.com</nowiki></pre> |
||
#* The requested data along with an <code>Access-Control-Allow-Origin</code> (ACAO) header with a wildcard indicating that the requests from all domains are allowed: <pre>Access-Control-Allow-Origin: *</pre> |
#* The requested data along with an <code>Access-Control-Allow-Origin</code> (ACAO) header with a wildcard indicating that the requests from all domains are allowed: <pre>Access-Control-Allow-Origin: *</pre> |
||
#* An error page if the server does not allow a cross-origin request |
#* An error page if the server does not allow a cross-origin request<ref>{{Cite web |date=2023-05-10 |title=CORS errors - HTTP {{!}} MDN |url=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors |access-date=2023-07-04 |website=developer.mozilla.org |language=en-US}}</ref> |
||
A wildcard same-origin policy is appropriate when a page or API response |
A wildcard same-origin policy is appropriate when a page or API response is intended to be accessible to any code on any site. A freely available [[web font]] on a public hosting service like [[Google Fonts]] is an example. |
||
A wildcard same-origin policy is also widely and appropriately used in the [[object-capability model]], where pages have unguessable URLs and are meant to be accessible to anyone who knows the secret. |
A wildcard same-origin policy is also widely and appropriately used in the [[object-capability model]], where pages have unguessable URLs and are meant to be accessible to anyone who knows the secret.{{Original research inline|date=June 2023}} |
||
The value of "*" is special in that it does not allow requests to supply credentials, meaning that it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request.<ref>[https://fetch.spec.whatwg.org/#cors-protocol-and-credentials]. W3.org. Retrieved on 2021-31-07.</ref> |
The value of "*" is special in that it does not allow requests to supply credentials, meaning that it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request.<ref>[https://fetch.spec.whatwg.org/#cors-protocol-and-credentials]. W3.org. Retrieved on 2021-31-07.</ref> |
||
Line 29: | Line 29: | ||
Note that in the CORS architecture, the Access-Control-Allow-Origin header is being set by the external web service (''service.example.com''), not the original web application server (''www.example.com''). Here, ''service.example.com'' uses CORS to permit the browser to authorize ''www.example.com'' to make requests to ''service.example.com''. |
Note that in the CORS architecture, the Access-Control-Allow-Origin header is being set by the external web service (''service.example.com''), not the original web application server (''www.example.com''). Here, ''service.example.com'' uses CORS to permit the browser to authorize ''www.example.com'' to make requests to ''service.example.com''. |
||
If a site specifies the header "Access-Control-Allow-Credentials:true", third-party sites may be able to carry out privileged actions and retrieve sensitive information |
If a site specifies the header "Access-Control-Allow-Credentials:true", third-party sites may be able to carry out privileged actions and retrieve sensitive information. |
||
== Preflight example == |
== Preflight example == |
||
Line 74: | Line 74: | ||
CORS is supported by all browsers based on the following layout engines: |
CORS is supported by all browsers based on the following layout engines: |
||
* [[Blink (layout engine)|Blink]]- and [[Chromium (web browser)#Browsers based on Chromium|Chromium]]-based browsers ([[Google Chrome|Chrome]] 28+,<ref name="quirks">{{cite web |title=Blink | date=April 2013 |publisher=QuirksBlog |url=http://www.quirksmode.org/blog/archives/2013/04/blink.html |access-date=4 April 2013}}</ref><ref>{{cite news |title=Google going its own way, forking WebKit rendering engine |publisher=Ars Technica | date=April 2013 |url= https://arstechnica.com/information-technology/2013/04/google-going-its-own-way-forking-webkit-rendering-engine/ |access-date=4 April 2013}}</ref> [[Opera (web browser)|Opera]] 15+,<ref name="quirks"/> [[Amazon Silk]], [[Android (operating system)|Android]]'s 4.4+ WebView and [[Qt (framework)|Qt's]] WebEngine) |
* [[Blink (layout engine)|Blink]]- and [[Chromium (web browser)#Browsers based on Chromium|Chromium]]-based browsers ([[Google Chrome|Chrome]] 28+,<ref name="quirks">{{cite web |title=Blink | date=April 2013 |publisher=QuirksBlog |url=http://www.quirksmode.org/blog/archives/2013/04/blink.html |access-date=4 April 2013}}</ref><ref>{{cite news |title=Google going its own way, forking WebKit rendering engine |publisher=Ars Technica | date=April 2013 |url= https://arstechnica.com/information-technology/2013/04/google-going-its-own-way-forking-webkit-rendering-engine/ |access-date=4 April 2013}}</ref> [[Opera (web browser)|Opera]] 15+,<ref name="quirks"/> [[Amazon Silk]], [[Android (operating system)|Android]]'s 4.4+ WebView and [[Qt (framework)|Qt's]] WebEngine) |
||
* [[Gecko (layout engine)|Gecko]] 1.9.1 (Firefox 3.5,<ref>{{cite web |url=https://developer.mozilla.org/En/HTTP_access_control |title=HTTP access control (CORS) - MDN |publisher=Developer.mozilla.org |access-date=2012-07-05 |archive-url=https://web.archive.org/web/20100527153021/https://developer.mozilla.org/En/HTTP_access_control |archive-date=2010-05-27 |url-status=dead }}</ref> SeaMonkey 2.0<ref name="gecko_vers">{{cite web|url=https://developer.mozilla.org/en/Gecko |title=Gecko - MDN |publisher=Developer.mozilla.org |date=2012-06-08 |access-date=2012-07-05}}</ref>) and above. |
* [[Gecko (layout engine)|Gecko]] 1.9.1 (Firefox 3.5,<ref>{{cite web |url=https://developer.mozilla.org/En/HTTP_access_control |title=HTTP access control (CORS) - MDN |publisher=Developer.mozilla.org |access-date=2012-07-05 |archive-url=https://web.archive.org/web/20100527153021/https://developer.mozilla.org/En/HTTP_access_control |archive-date=2010-05-27 |url-status=dead }}</ref> SeaMonkey 2.0<ref name="gecko_vers">{{cite web |url=https://developer.mozilla.org/en/Gecko |title=Gecko - MDN |publisher=Developer.mozilla.org |date=2012-06-08 |access-date=2012-07-05 |archive-date=2012-08-03 |archive-url=https://web.archive.org/web/20120803092112/https://developer.mozilla.org/en/Gecko |url-status=dead }}</ref>) and above. |
||
* [[Trident (layout engine)|MSHTML/Trident]] 6.0 (Internet Explorer 10) has native support.<ref>{{cite web|author1=Tony Ross |author2=Program Manager |author3=Internet Explorer |url=http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx |title=CORS for XHR in IE10 |publisher=MSDN |date=2012-02-09 |access-date=2012-12-14}}</ref> MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provide partial support via the XDomainRequest object.<ref>{{cite web|url=https://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ |title=cross-site xmlhttprequest with CORS |publisher=MOZILLA |access-date=2012-09-05}}</ref> |
* [[Trident (layout engine)|MSHTML/Trident]] 6.0 (Internet Explorer 10) has native support.<ref>{{cite web|author1=Tony Ross |author2=Program Manager |author3=Internet Explorer |url=http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx |title=CORS for XHR in IE10 |publisher=MSDN |date=2012-02-09 |access-date=2012-12-14}}</ref> MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provide partial support via the XDomainRequest object.<ref>{{cite web|url=https://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ |title=cross-site xmlhttprequest with CORS |publisher=MOZILLA |access-date=2012-09-05}}</ref> |
||
* [[Presto (layout engine)|Presto]]-based browsers (Opera) implement CORS as of [[Opera (web browser)|Opera]] 12.00<ref>{{cite web |author=David Honneffer, Documentation Specialist |url=http://www.opera.com/docs/changelogs/unix/1200/ |title=12.00 for UNIX Changelog |publisher=Opera |date=2012-06-14 |access-date=2012-07-05 |archive-url=https://web.archive.org/web/20120618170555/http://www.opera.com/docs/changelogs/unix/1200/ |archive-date=2012-06-18 |url-status=dead }}</ref> and [[Opera Mobile]] 12, but not [[Opera Mini]].<ref>{{cite web|author=David Honneffer, Documentation Specialist |url=http://www.opera.com/docs/specs/presto2.10/#m210-236 |title=Opera Software: Web specifications support in Opera Presto 2.10 |publisher=Opera.com |date=2012-04-23 |access-date=2012-07-05}}</ref> |
* [[Presto (layout engine)|Presto]]-based browsers (Opera) implement CORS as of [[Opera (web browser)|Opera]] 12.00<ref>{{cite web |author=David Honneffer, Documentation Specialist |url=http://www.opera.com/docs/changelogs/unix/1200/ |title=12.00 for UNIX Changelog |publisher=Opera |date=2012-06-14 |access-date=2012-07-05 |archive-url=https://web.archive.org/web/20120618170555/http://www.opera.com/docs/changelogs/unix/1200/ |archive-date=2012-06-18 |url-status=dead }}</ref> and [[Opera Mobile]] 12, but not [[Opera Mini]].<ref>{{cite web|author=David Honneffer, Documentation Specialist |url=http://www.opera.com/docs/specs/presto2.10/#m210-236 |title=Opera Software: Web specifications support in Opera Presto 2.10 |publisher=Opera.com |date=2012-04-23 |access-date=2012-07-05}}</ref> |
||
* [[WebKit]] (Initial revision uncertain, Safari 4 and above,<ref name="mozhacks_cors">{{cite web|author=on July 6, 2009 by Arun Ranganathan |url=https://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ |title=cross-site xmlhttprequest with CORS ✩ Mozilla Hacks – the Web developer blog |publisher=Hacks.mozilla.org |date=2009-07-06 |access-date=2012-07-05}}</ref> Google Chrome 3 and above, possibly earlier).<ref>{{cite web |url=http://osvdb.org/59940 |archive-url=https://archive.today/20120719142244/http://osvdb.org/59940 |url-status=dead |archive-date=2012-07-19 |title=59940: Apple Safari WebKit Cross-Origin Resource Sharing Bypass |publisher=Osvdb.org |access-date=2012-07-05 }}</ref> |
* [[WebKit]] (Initial revision uncertain, Safari 4 and above,<ref name="mozhacks_cors">{{cite web|author=on July 6, 2009 by Arun Ranganathan |url=https://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ |title=cross-site xmlhttprequest with CORS ✩ Mozilla Hacks – the Web developer blog |publisher=Hacks.mozilla.org |date=2009-07-06 |access-date=2012-07-05}}</ref> Google Chrome 3 and above, possibly earlier).<ref>{{cite web |url=http://osvdb.org/59940 |archive-url=https://archive.today/20120719142244/http://osvdb.org/59940 |url-status=dead |archive-date=2012-07-19 |title=59940: Apple Safari WebKit Cross-Origin Resource Sharing Bypass |publisher=Osvdb.org |access-date=2012-07-05 }}</ref> |
||
* [[Microsoft Edge]] All versions. |
* [[Microsoft Edge]] All versions.<ref name="edge">{{cite web|title=Microsoft Edge deverloper's guide|date=21 December 2023 |url=https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/performance/xmlhttprequest/}}</ref> |
||
==History== |
==History== |
||
Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of [[Tellme Networks]] in March 2004 for inclusion in [[VoiceXML]] 2.1<ref>{{cite web|url=https://www.w3.org/TR/2004/WD-voicexml21-20040323/#sec-data-security |title=Voice Extensible Markup Language (VoiceXML) 2.1 |publisher=W3.org |date=2004-03-23 |access-date=2012-07-05}}</ref> to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.<ref>{{cite web|url=http://www.w3.org/TR/2005/NOTE-access-control-20050613/ |title=Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0 |publisher=W3.org |access-date=2012-07-05}}</ref> The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a [[W3C Recommendation#Working |
Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of [[Tellme Networks]] in March 2004 for inclusion in [[VoiceXML]] 2.1<ref>{{cite web|url=https://www.w3.org/TR/2004/WD-voicexml21-20040323/#sec-data-security |title=Voice Extensible Markup Language (VoiceXML) 2.1 |publisher=W3.org |date=2004-03-23 |access-date=2012-07-05}}</ref> to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.<ref>{{cite web|url=http://www.w3.org/TR/2005/NOTE-access-control-20050613/ |title=Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0 |publisher=W3.org |access-date=2012-07-05}}</ref> The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a [[W3C Recommendation#Working draft (WD)|W3C Working Draft]] on track toward formal [[W3C Recommendation#W3C recommendation (REC)|W3C Recommendation]] status. |
||
In May 2006 the first W3C Working Draft was submitted.<ref>{{cite web|title=Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0 W3C - Working Draft 17 May 2006|url=http://www.w3.org/TR/2006/WD-access-control-20060517/|publisher=W3.org|access-date=17 August 2015}}</ref> In March 2009 the draft was renamed to "Cross-Origin Resource Sharing"<ref>{{cite web|title=Cross-Origin Resource Sharing - W3C Working Draft 17 March 2009|url=http://www.w3.org/TR/2009/WD-cors-20090317/|publisher=W3.org|access-date=17 August 2015}}</ref> and in January 2014 it was accepted as a W3C Recommendation.<ref>{{cite web|title=Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014|url=http://www.w3.org/TR/2014/REC-cors-20140116/|publisher=W3.org|access-date=17 August 2015}}</ref> |
In May 2006 the first W3C Working Draft was submitted.<ref>{{cite web|title=Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0 W3C - Working Draft 17 May 2006|url=http://www.w3.org/TR/2006/WD-access-control-20060517/|publisher=W3.org|access-date=17 August 2015}}</ref> In March 2009 the draft was renamed to "Cross-Origin Resource Sharing"<ref>{{cite web|title=Cross-Origin Resource Sharing - W3C Working Draft 17 March 2009|url=http://www.w3.org/TR/2009/WD-cors-20090317/|publisher=W3.org|access-date=17 August 2015}}</ref> and in January 2014 it was accepted as a W3C Recommendation.<ref>{{cite web|title=Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014|url=http://www.w3.org/TR/2014/REC-cors-20140116/|publisher=W3.org|access-date=17 August 2015}}</ref> |
||
Line 97: | Line 97: | ||
* [[Content Security Policy]] |
* [[Content Security Policy]] |
||
* [[Cross-document messaging]] |
* [[Cross-document messaging]] |
||
* [[Cross site leaks]] |
|||
==References== |
==References== |
||
Line 106: | Line 107: | ||
* [https://enable-cors.org/server.html Detailed how-to information for enabling CORS support in various (web) servers] |
* [https://enable-cors.org/server.html Detailed how-to information for enabling CORS support in various (web) servers] |
||
* [http://www.html5rocks.com/en/tutorials/cors/ ''HTML5 Rocks'' explains how CORS works in detail] |
* [http://www.html5rocks.com/en/tutorials/cors/ ''HTML5 Rocks'' explains how CORS works in detail] |
||
* [https://w3c.github.io/webappsec-cors-for-developers/ W3C ''CORS for Developers'' guide] |
|||
* [http://webkit-cors-vulnerability.trentalancia.com How to disable CORS on WebKit-based browsers for maximum security and privacy] |
|||
* [https://helpertools.app/web-security/view/cors-scanner Online CORS misconfiguration scanner] {{Webarchive|url=https://web.archive.org/web/20200810161738/https://helpertools.app/web-security/view/cors-scanner |date=2020-08-10 }} |
* [https://helpertools.app/web-security/view/cors-scanner Online CORS misconfiguration scanner] {{Webarchive|url=https://web.archive.org/web/20200810161738/https://helpertools.app/web-security/view/cors-scanner |date=2020-08-10 }} |
||
Revision as of 02:54, 25 August 2024
Cross-origin resource sharing (CORS) is a mechanism that allows a web page to access restricted resources from a server on a domain different than the domain that served the web page.
A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.[1] It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests.
The specification for CORS is included as part of the WHATWG's Fetch Living Standard.[2] This specification describes how CORS is currently implemented in browsers.[3] An earlier specification was published as a W3C Recommendation.[4]
Technical overview
For HTTP requests made from JavaScript that can't be made by using a <form> tag pointing to another domain or containing non-safelisted headers, the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.[5]
Simple request example
Suppose a user visits http://www.example.com and the page attempts a cross-origin request to fetch data from http://service.example.com. A CORS-compatible browser will attempt to make a cross-origin request to service.example.com as follows.
- The browser sends the GET request with an extra
Origin
HTTP header to service.example.com containing the domain that served the parent page:Origin: http://www.example.com
- The server at service.example.com sends one of these three responses:
- The requested data along with an
Access-Control-Allow-Origin
(ACAO) header in its response indicating the requests from the origin are allowed. For example in this case it should be:Access-Control-Allow-Origin: http://www.example.com
- The requested data along with an
Access-Control-Allow-Origin
(ACAO) header with a wildcard indicating that the requests from all domains are allowed:Access-Control-Allow-Origin: *
- An error page if the server does not allow a cross-origin request[6]
- The requested data along with an
A wildcard same-origin policy is appropriate when a page or API response is intended to be accessible to any code on any site. A freely available web font on a public hosting service like Google Fonts is an example.
A wildcard same-origin policy is also widely and appropriately used in the object-capability model, where pages have unguessable URLs and are meant to be accessible to anyone who knows the secret.[original research?]
The value of "*" is special in that it does not allow requests to supply credentials, meaning that it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request.[7]
Note that in the CORS architecture, the Access-Control-Allow-Origin header is being set by the external web service (service.example.com), not the original web application server (www.example.com). Here, service.example.com uses CORS to permit the browser to authorize www.example.com to make requests to service.example.com.
If a site specifies the header "Access-Control-Allow-Credentials:true", third-party sites may be able to carry out privileged actions and retrieve sensitive information.
Preflight example
When performing certain types of cross-domain Ajax requests, modern browsers that support CORS will initiate an extra "preflight" request to determine whether they have permission to perform the action. Cross-origin requests are preflighted this way because they may have implications to user data.
OPTIONS / Host: service.example.com Origin: http://www.example.com Access-Control-Request-Method: PUT
If service.example.com is willing to accept the action, it may respond with the following headers:
Access-Control-Allow-Origin: http://www.example.com Access-Control-Allow-Methods: PUT
The browser will then make the actual request. If service.example.com does not accept cross-site requests from this origin then it will respond with error to the OPTIONS request and the browser will not make the actual request.
Headers
The HTTP headers that relate to CORS are:
Request headers
Origin
Access-Control-Request-Method
Access-Control-Request-Headers
Response headers
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Browser support
CORS is supported by all browsers based on the following layout engines:
- Blink- and Chromium-based browsers (Chrome 28+,[8][9] Opera 15+,[8] Amazon Silk, Android's 4.4+ WebView and Qt's WebEngine)
- Gecko 1.9.1 (Firefox 3.5,[10] SeaMonkey 2.0[11]) and above.
- MSHTML/Trident 6.0 (Internet Explorer 10) has native support.[12] MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provide partial support via the XDomainRequest object.[13]
- Presto-based browsers (Opera) implement CORS as of Opera 12.00[14] and Opera Mobile 12, but not Opera Mini.[15]
- WebKit (Initial revision uncertain, Safari 4 and above,[16] Google Chrome 3 and above, possibly earlier).[17]
- Microsoft Edge All versions.[18]
History
Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1[19] to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.[20] The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal W3C Recommendation status.
In May 2006 the first W3C Working Draft was submitted.[21] In March 2009 the draft was renamed to "Cross-Origin Resource Sharing"[22] and in January 2014 it was accepted as a W3C Recommendation.[23]
CORS vs JSONP
CORS can be used as a modern alternative to the JSONP pattern. The benefits of CORS are:
- While JSONP supports only the
GET
request method, CORS also supports other types of HTTP requests. - CORS enables a web programmer to use regular XMLHttpRequest, which supports better error handling than JSONP.
- While JSONP can cause cross-site scripting (XSS) issues when the external site is compromised, CORS allows websites to manually parse responses to increase security.[1]
The main advantage of JSONP was its ability to work on legacy browsers which predate CORS support (Opera Mini and Internet Explorer 9 and earlier). CORS is now supported by most modern web browsers.[24]
See also
References
- ^ a b "Cross-domain Ajax with Cross-Origin Resource Sharing". NCZOnline. 25 May 2010. Retrieved 2012-07-05.
- ^ "Fetch Living Standard".
- ^ "WebAppSec Working Group Minutes".
- ^ "Cross-Origin Resource Sharing".
- ^ "Cross-Origin Resource Sharing (CORS) - HTTP | MDN". developer.mozilla.org. 10 May 2023. Retrieved 7 June 2023.
- ^ "CORS errors - HTTP | MDN". developer.mozilla.org. 2023-05-10. Retrieved 2023-07-04.
- ^ [1]. W3.org. Retrieved on 2021-31-07.
- ^ a b "Blink". QuirksBlog. April 2013. Retrieved 4 April 2013.
- ^ "Google going its own way, forking WebKit rendering engine". Ars Technica. April 2013. Retrieved 4 April 2013.
- ^ "HTTP access control (CORS) - MDN". Developer.mozilla.org. Archived from the original on 2010-05-27. Retrieved 2012-07-05.
- ^ "Gecko - MDN". Developer.mozilla.org. 2012-06-08. Archived from the original on 2012-08-03. Retrieved 2012-07-05.
- ^ Tony Ross; Program Manager; Internet Explorer (2012-02-09). "CORS for XHR in IE10". MSDN. Retrieved 2012-12-14.
- ^ "cross-site xmlhttprequest with CORS". MOZILLA. Retrieved 2012-09-05.
- ^ David Honneffer, Documentation Specialist (2012-06-14). "12.00 for UNIX Changelog". Opera. Archived from the original on 2012-06-18. Retrieved 2012-07-05.
- ^ David Honneffer, Documentation Specialist (2012-04-23). "Opera Software: Web specifications support in Opera Presto 2.10". Opera.com. Retrieved 2012-07-05.
- ^ on July 6, 2009 by Arun Ranganathan (2009-07-06). "cross-site xmlhttprequest with CORS ✩ Mozilla Hacks – the Web developer blog". Hacks.mozilla.org. Retrieved 2012-07-05.
{{cite web}}
: CS1 maint: numeric names: authors list (link) - ^ "59940: Apple Safari WebKit Cross-Origin Resource Sharing Bypass". Osvdb.org. Archived from the original on 2012-07-19. Retrieved 2012-07-05.
- ^ "Microsoft Edge deverloper's guide". 21 December 2023.
- ^ "Voice Extensible Markup Language (VoiceXML) 2.1". W3.org. 2004-03-23. Retrieved 2012-07-05.
- ^ "Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0". W3.org. Retrieved 2012-07-05.
- ^ "Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0 W3C - Working Draft 17 May 2006". W3.org. Retrieved 17 August 2015.
- ^ "Cross-Origin Resource Sharing - W3C Working Draft 17 March 2009". W3.org. Retrieved 17 August 2015.
- ^ "Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014". W3.org. Retrieved 17 August 2015.
- ^ "When can I use... Cross Origin Resource Sharing". caniuse.com. Retrieved 2012-07-12.
External links
- Fetch Living Standard (the current specification for CORS)
- Setting CORS on Apache with correct response headers allowing everything through[permanent dead link]
- Detailed how-to information for enabling CORS support in various (web) servers
- HTML5 Rocks explains how CORS works in detail
- Online CORS misconfiguration scanner Archived 2020-08-10 at the Wayback Machine