CORS

Update: December 2022

Description

CORS stands for Cross-Origin Resources Sharing. CORS can be described as a mechanism allowing applications to load resources from a third party with an external domain . For example, it allows a client application hosted on a server with the domain exemple.com to load resources from and interacts with an another application running under the domain ABC.com. A set of headers define from what origins the browser is allowed to load resources for a given domain.

Why?

CORS introduces itself as a more flexible alternative to the Same-Origin Policy which was too restrictive for the modern web applications. Few years ago, it was not possible for servers to make cross domain requests and such to load resources from a third party. Web applications were restricted to load resources from services running under the same domain, port and protocol. Nowadays, the complexity of the web applications make cross resources sharing inevitable since most web applications features relied on the integration of third-party components or external APIs.

Headers

The CORS mechanism is associated with a set of headers that the browser used to determine what domains can legitimately access the cross-domain resources.

An example is the best way to illustrate the role played by each header.

A server can allow every origin domain to access its resources. However, an analogy would be to give your home key to everyone. Most of the time, only few services from trusted domains are granted access on resources on a third party server.