CORS: Difference between revisions
Line 5: | Line 5: | ||
= Same-origin policy = | = Same-origin policy = | ||
Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy'''. This policy restricts how a document or script loaded by one origin can interact with a resource from another origin. | Before talking about CORS, we must first understand a security mechanism called the '''same-origin policy'''. This policy restricts how a document or script loaded by one origin can interact with a resource from another origin. | ||
Two URLs have the same ''origin'' if they have the same protocol, port, and host. | |||
This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy. | This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy. | ||
On the browser side, an HTTP header is attached to identify the origin. There are a series of steps to implement same-origin policy on the server side. For more information, see the [https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#how_to_block_cross-origin_access MDN article] (for my use case, Express ''cors'' module works fine). | |||
= What is CORS = | = What is CORS = | ||
'''Cross-Origin Resource Sharing''' (CORS) allows server | '''Cross-Origin Resource Sharing''' (CORS) allows server |
Revision as of 06:23, 3 March 2024
Sources
Same-origin policy
Before talking about CORS, we must first understand a security mechanism called the same-origin policy. This policy restricts how a document or script loaded by one origin can interact with a resource from another origin.
Two URLs have the same origin if they have the same protocol, port, and host.
This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.
On the browser side, an HTTP header is attached to identify the origin. There are a series of steps to implement same-origin policy on the server side. For more information, see the MDN article (for my use case, Express cors module works fine).
What is CORS
Cross-Origin Resource Sharing (CORS) allows server