MSH

What is Cross-Origin Resource Sharing?

Published on
Last updated on

Have you ever encountered mysterious CORS errors while trying to fetch data from another website? You're not alone! Let's break down what CORS is and how it works.

CORS (Cross-Origin Resource Sharing)

CORS is a crucial security feature built into web browsers that controls how web pages can request resources from different domains, protocols, or ports.

For example, imagine your JavaScript code running on https://mohammadshehadeh.com tries to fetch data from https://api.another-service.com. Without proper CORS configuration, this request would be blocked by the browser.

Understanding Origin

An origin consists of three key components:

  • Protocol (e.g., http:// or https://)
  • Domain name (e.g., mohammadshehadeh.com)
  • Port number (e.g., 80 or 443)

Let's look at some practical examples:

Same Origin Examples

These URLs share the same origin:

1https://mohammadshehadeh.com/about 2https://mohammadshehadeh.com/api/cors

Even these are considered same origin (port 80 is implicit for HTTP):

1http://mohammadshehadeh.com 2http://mohammadshehadeh.com:80

Different Origin Examples

These URLs have different origins:

Different protocols:

1https://mohammadshehadeh.com 2http://mohammadshehadeh.com

Different domains:

1https://mohammadshehadeh.com 2https://api.mohammadshehadeh.com

Different ports:

1https://mohammadshehadeh.com 2https://mohammadshehadeh.com:8080

When Does CORS Apply?

CORS comes into play for various types of requests:

  • fetch() API calls
  • XMLHttpRequest requests
  • Web Fonts (using @font-face)
  • WebGL textures (images or pixel data applied to 3D objects to enhance their appearance)
  • Images/video frames drawn to a canvas using drawImage()

Understanding Preflight Requests

Before making certain types of requests, browsers automatically send a "preflight" request using the OPTIONS HTTP method. Think of it as a permission slip that checks if the actual request is allowed.

Key Preflight Headers

Request Headers:

1OPTIONS /api/data HTTP/1.1 2Origin: https://mohammadshehadeh.com/api/cors 3Access-Control-Request-Method: POST 4Access-Control-Request-Headers: Content-Type

Server Response Headers:

1HTTP/1.1 200 OK 2Access-Control-Allow-Origin: https://mohammadshehadeh.com 3Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS 4Access-Control-Allow-Headers: Content-Type, Authorization

Working with Credentials

When you need to include cookies or authentication headers with your requests, you'll need special CORS configuration:

1fetch('https://mohammadshehadeh.com/api/cors', { 2 credentials: 'include', // Includes cookies 3});

Required Server Headers:

1Access-Control-Allow-Origin: https://mohammadshehadeh.com 2Access-Control-Allow-Credentials: true
Watch out

When using credentials, Access-Control-Allow-Origin cannot be set to * and must specify the exact origin.

Best Practices

Only allow trusted websites in your CORS config:

1const allowedSites = ['https://trusted-site.com']; 2if (allowedSites.includes(request.origin)) { 3 // Allow the request 4}

References

GET IN TOUCH

Let's work together

I build exceptional and accessible digital experiences for the web

WRITE AN EMAIL

or reach out directly at hello@mohammadshehadeh.com