Cross-origin resource sharing (CORS) is a mechanism to safely bypass the same-origin policy, that is, it allows a web page to access restricted resources from a server on a domain different than the domain that served the web page. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably

Ajax Ajax may refer to: Greek mythology and tragedy * Ajax the Great, a Greek mythological hero, son of King Telamon and Periboea * Ajax the Lesser, a Greek mythological hero, son of Oileus, the king of Locris * Ajax (play), ''Ajax'' (play), by the an ...

requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. The specification for CORS is included as part of the WHATWG's Fetch Living Standard. This specification describes how CORS is currently implemented in browsers. An earlier specification was published as a

W3C The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working together in ...

Recommendation.

Technical overview

Flowchart_showing_Simple_and_Preflight_XHR

For HTTP requests made from JavaScript that can't be made by using a <form> tag pointing to another domain or containing non-safelisted headers, the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.

Simple request example

Suppose a user visits http://www.example.com and the page attempts a cross-origin request to fetch data from http://service.example.com. A CORS-compatible browser will attempt to make a cross-origin request to service.example.com as follows. # The browser sends the GET request with an extra Origin

HTTP header HTTP header fields are a list of strings sent and received by both the client program and server on every HTTP request and response. These headers are usually invisible to the end-user and are only processed or logged by the server and client ...

to service.example.com containing the domain that served the parent page:

Origin: http://www.example.com

# The server at service.example.com sends one of these three responses: #* The requested data along with an Access-Control-Allow-Origin (ACAO) header in its response indicating the requests from the origin are allowed. For example in this case it should be:

Access-Control-Allow-Origin: http://www.example.com

#* The requested data along with an Access-Control-Allow-Origin (ACAO) header with a wildcard indicating that the requests from all domains are allowed:

Access-Control-Allow-Origin: *

#* An error page if the server does not allow a cross-origin request A wildcard same-origin policy is appropriate when a page or API response is intended to be accessible to any code on any site. A freely available web font on a public hosting service like

Google Fonts Google Fonts (formerly known as Google Web Fonts) is a computer font and web font service owned by Google. This includes Free-software license, free and open source font families, an interactive web directory for browsing the library, and Applica ...

is an example. The value of "*" is special in that it does not allow requests to supply credentials, meaning that it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request. Note that in the CORS architecture, the Access-Control-Allow-Origin header is being set by the external web service (''service.example.com''), not the original web application server (''www.example.com''). Here, ''service.example.com'' uses CORS to permit the browser to authorize ''www.example.com'' to make requests to ''service.example.com''. If a site specifies the header "Access-Control-Allow-Credentials:true", third-party sites may be able to carry out privileged actions and retrieve sensitive information.

Preflight example

When performing certain types of cross-domain Ajax requests, modern browsers that support CORS will initiate an extra "preflight" request to determine whether they have permission to perform the action. Cross-origin requests are preflighted this way because they may have implications to user data.

OPTIONS /
Host: service.example.com
Origin: http://www.example.com
Access-Control-Request-Method: PUT

If service.example.com is willing to accept the action, it may respond with the following headers:

Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT

The browser will then make the actual request. If service.example.com does not accept cross-site requests from this origin then it will respond with error to the OPTIONS request and the browser will not make the actual request.

Headers

The HTTP headers that relate to CORS are:

Request headers

*Origin *Host *Access-Control-Request-Method *Access-Control-Request-Headers

Response headers

*Access-Control-Allow-Origin *Access-Control-Allow-Credentials *Access-Control-Expose-Headers *Access-Control-Max-Age *Access-Control-Allow-Methods *Access-Control-Allow-Headers

Browser support

CORS is supported by all browsers based on the following layout engines: * Blink- and

Chromium Chromium is a chemical element; it has Symbol (chemistry), symbol Cr and atomic number 24. It is the first element in Group 6 element, group 6. It is a steely-grey, Luster (mineralogy), lustrous, hard, and brittle transition metal. Chromium ...

-based browsers ( Chrome 28+,

Opera Opera is a form of History of theatre#European theatre, Western theatre in which music is a fundamental component and dramatic roles are taken by Singing, singers. Such a "work" (the literal translation of the Italian word "opera") is typically ...

15+, Amazon Silk, Android's 4.4+ WebView and Qt's WebEngine) *

Gecko Geckos are small, mostly carnivorous lizards that have a wide distribution, found on every continent except Antarctica. Belonging to the infraorder Gekkota, geckos are found in warm climates. They range from . Geckos are unique among lizards ...

1.9.1 (Firefox 3.5, SeaMonkey 2.0) and above. * MSHTML/Trident 6.0 (Internet Explorer 10) has native support. MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provide partial support via the XDomainRequest object. * Presto-based browsers (Opera) implement CORS as of

12.00 and Opera Mobile 12, but not Opera Mini. *

WebKit WebKit is a browser engine primarily used in Apple's Safari web browser, as well as all web browsers on iOS and iPadOS. WebKit is also used by the PlayStation consoles starting with the PS3, the Tizen mobile operating systems, the Amazon K ...

(Initial revision uncertain, Safari 4 and above, Google Chrome 3 and above, possibly earlier). *

Microsoft Edge Microsoft Edge is a Proprietary Software, proprietary cross-platform software, cross-platform web browser created by Microsoft and based on the Chromium (web browser), Chromium open-source project, superseding Edge Legacy. In Windows 11, Edge ...

All versions.

History

Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of

Tellme Networks Tellme Networks, Inc. was an American company founded in 1999 by Mike McCue and Angus Davis, which specialized in telephone-based applications. Its headquarters were in Mountain View, California. Tellme Networks was acquired by Microsoft on Mar ...

in March 2004 for inclusion in

VoiceXML VoiceXML (VXML) is a digital document standard for specifying interactive media and voice dialogs between humans and computers. It is used for developing audio and voice response applications, such as banking systems and automated customer service ...

2.1 to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE. The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal

W3C Recommendation The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working together in ...

status. In May 2006 the first W3C Working Draft was submitted. In March 2009 the draft was renamed to "Cross-Origin Resource Sharing" and in January 2014 it was accepted as a W3C Recommendation.

CORS vs JSONP

CORS can be used as a modern alternative to the JSONP pattern. The benefits of CORS are: * While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. * CORS enables a web programmer to use regular XMLHttpRequest, which supports better error handling than JSONP. * While JSONP can cause cross-site scripting (XSS) issues when the external site is compromised, CORS allows websites to manually parse responses to increase security. The main advantage of JSONP was its ability to work on legacy browsers which predate CORS support ( Opera Mini and Internet Explorer 9 and earlier). CORS is now supported by most modern web browsers.

References

External links

Fetch Living Standard
(the current specification for CORS)
Setting CORS on Apache with correct response headers allowing everything through

* ttp://www.html5rocks.com/en/tutorials/cors/ ''HTML5 Rocks'' explains how CORS works in detail
Online CORS misconfiguration scanner
{{Web interfaces Ajax (programming) World Wide Web Consortium standards