Return to topic cards

Understanding Cross-Origin Resource Sharing (CORS)

CORSHTTP HeadersWeb SecuritySame-Origin PolicyCross-Domain Requests

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to allow or restrict web applications from making requests to a domain different from the one that served the web page. It is defined by HTTP headers that specify how resources can be requested from different origins.

Key Points

  • CORS enables servers to declare exceptions to the Same-Origin Policy (SOP).
  • CORS operates through a set of HTTP headers sent by the server in response to a browser request.
  • CORS is crucial for securing web applications and ensuring that resources are accessed only by trusted origins.

Different HTTP Headers Involved in CORS

  • Access-Control-Allow-Origin: Specifies which origins are permitted to access the resource.
  • Access-Control-Allow-Methods: Specifies the methods allowed when accessing the resource.
  • Access-Control-Allow-Headers: Specifies the headers that can be used when making the actual request.
  • Access-Control-Max-Age: Indicates how long the results of a preflight request can be cached.
  • Access-Control-Allow-Credentials: Indicates whether the response to the request can be exposed when the credentials flag is true.

Common Scenarios

  • APIs and Web Services: Ensuring secure data exchange between different domains.
  • CDNs: Allowing content delivery networks to serve resources from different origins.
  • Web Fonts: Loading fonts from external sources.
  • Third-Party Plugins: Integrating plugins from different domains.
  • Multi-Domain User Authentication: Managing user authentication across multiple domains.

Two Primary Types of Requests

Simple Requests

A request is considered simple if it uses the GET, HEAD, or POST method, and the POST request's Content-Type header is one of:

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/plain

Preflight Requests

These are CORS requests that the browser "preflights" with an OPTIONS request before sending the actual request to ensure that the server is willing to accept the request based on its CORS policy.

Common Misconfigurations

  • Null Origin Misconfiguration: When a server accepts requests from the "null" origin.
  • Bad Regex in Origin Checking: For example, if domains starting with example.com are allowed, an attacker could use example.com.attacker123.com.
  • Trusting Arbitrary Supplied Origin: Accepting any origin without proper validation.

Learn More

For more detailed information on CORS and its implementation, refer to the MDN Web Docs on CORS.