cross-origin-resource-sharing.gif

​Cross-origin resource sharing (CORS) is a standard for accessing web resources on different domains.

Overview

To prevent websites from tampering with one another, web browsers implement a security measure known as same-origin policy. This policy lets resources such as JavaScript interact with resources from the same domain, but not with resources from different domains. This provides security for the user by preventing abuse, such as running a script that reads the password field on a secure website.

In cases where cross-domain scripting is desired, CORS allows web developers to work around the same-origin policy. CORS adds HTTP headers which instruct web browsers on how to use and manage cross-domain content. The browser then allows or denies access to the content based on its security configuration.

How CORS Works

When a browser executes a script that references a resource on another domain, it requests the content directly from the second domain. The second domain determines whether or not to serve the content by validating the first domain, which is included as part of the request. The second domain then returns either the content or an error message back to the browser, bypassing the first domain entirely.

Step-by-step, here’s how CORS works:

  1. A user opens a resource on a page that references another domain. This is usually a JavaScript file but can include web fonts and CSS resources.
  2. The user’s browser creates a connection to the second domain, adding an Origin HTTP header to the request which contains the first domain.
  3. The second domain replies with an Access-Control-Allow-Origin HTTP header which lists the domains allowed to make CORS requests. A wildcard (“*”) allows all domains to make requests.
  4. If the first domain is allowed to make the request, the second domain responds with the requested content.

The Access-Control-Allow-Origin header is defined in the second domain’s server configuration. If the header doesn’t contain wildcards and the first domain isn’t explicitly included, the browser displays an error message.

Example of CORS

CORS is an essential feature of online storage services such as Amazon S3. Service providers configure S3 to allow CORS requests from their website’s domain. When a user accesses the website and runs the script, their browser makes a request to S3. Since S3 is configured to allow the domain, the request is completed and the content is delivered to the browser.

More complicated cross-domain requests use preflighting to validate a request before the request is actually performed. Preflighted requests include custom HTTP headers which help the server determine whether or not a request is valid. Preflighted requests help service providers better protect sensitive information from users who might abuse CORS requests.

Conclusion

Hackers are always looking for ways to undermine the security of the web. To this day, cross-site scripting (XSS) is one of the most popular ways of bypassing the same origin policy, and accounted for 84% of all security vulnerabilities not long ago. The great thing about CORS is that it gives web services the freedom to interconnect with other web services without making their users vulnerable to attack.

Start 15-day Trial

Every Secure Content Delivery Plan includes WAF and DDoS mitigation.

Choose plan