CORS: Difference between revisions
From Rice Wiki
Line 10: | Line 10: | ||
This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy. | This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy. | ||
==== Implementation ==== | |||
The same origin policy is implemented on the browser. It is built into the ''fetch'' API so that browsers will attach a Origin header to the request. | |||
= What is CORS = | = What is CORS = | ||
'''Cross-Origin Resource Sharing''' (CORS) allows server | '''Cross-Origin Resource Sharing''' (CORS) allows server |
Revision as of 18:28, 3 March 2024
Sources
Same-origin policy
Before talking about CORS, we must first understand a security mechanism called the same-origin policy. This policy restricts how a document or script loaded by one origin can interact with a resource from another origin.
Two URLs have the same origin if they have the same protocol, port, and host.
This isolates potentially malicious documents. Consider a hacker website with a script that requests resources from our server. Since the hacker website does not have the same origin as us, they can't access our website by the same-origin policy.
Implementation
The same origin policy is implemented on the browser. It is built into the fetch API so that browsers will attach a Origin header to the request.
What is CORS
Cross-Origin Resource Sharing (CORS) allows server