Share
VIDEOS 1 TO 50
Michael Neale - CORS: Cross-domain requests with JavaScript
Michael Neale - CORS: Cross-domain requests with JavaScript
Published: 2013/11/20
Channel: webdirections
Cross origin resource sharing ASP NET Web API
Cross origin resource sharing ASP NET Web API
Published: 2016/09/22
Channel: kudvenkat
CORS
CORS
Published: 2015/11/14
Channel: Adam Zerner
HTML5 Security  Part 3/3 - CORS
HTML5 Security Part 3/3 - CORS
Published: 2015/05/14
Channel: AppCheck NG
Cross Site HTTP Requests
Cross Site HTTP Requests
Published: 2014/07/23
Channel: life michael
Cross-origin resource sharing
Cross-origin resource sharing
Published: 2014/07/30
Channel: Audiopedia
CSRF Introduction and what is the Same-Origin Policy? - web 0x04
CSRF Introduction and what is the Same-Origin Policy? - web 0x04
Published: 2016/09/23
Channel: LiveOverflow
Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net
Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net
Published: 2017/07/08
Channel: Muhammad Khizer Javed
CORS - Cross Origin Resource Sharing in SAP NetWeaver Cloud
CORS - Cross Origin Resource Sharing in SAP NetWeaver Cloud
Published: 2013/02/11
Channel: Chris Paine
Access-Control-Allow-Origin error resolution
Access-Control-Allow-Origin error resolution
Published: 2017/01/10
Channel: hemant govekar
How to Solve Javascript Cross Domain
How to Solve Javascript Cross Domain
Published: 2016/12/08
Channel: LearnEDU
CORS access control allow origin [SOLVED]
CORS access control allow origin [SOLVED]
Published: 2017/06/24
Channel: Code Bandit
Gergely Revay - Security Implications of Cross-Origin Resource Sharing
Gergely Revay - Security Implications of Cross-Origin Resource Sharing
Published: 2014/07/02
Channel: OWASP
23    Cross Origin Resource Sharing  28CORS 29  Why do we need it and how do we do it
23 Cross Origin Resource Sharing 28CORS 29 Why do we need it and how do we do it
Published: 2017/03/31
Channel: Noths Tech
2 minute solution for local Cross Origin Requests problem
2 minute solution for local Cross Origin Requests problem
Published: 2014/08/12
Channel: Gaur Associates
CORS headers for AWS API Gateway
CORS headers for AWS API Gateway
Published: 2016/05/16
Channel: Čedomir Đošić
Hacks XMLHttpRequest over CORS  - Allow-Control-Allow-Origin: *
Hacks XMLHttpRequest over CORS - Allow-Control-Allow-Origin: *
Published: 2015/12/22
Channel: MoreMeng
How To: Solve a Cross-Origin Resource Sharing Issue with Apigee
How To: Solve a Cross-Origin Resource Sharing Issue with Apigee
Published: 2012/09/05
Channel: apigee
CORS | Laravel + Angular 2 / Vue.js 2
CORS | Laravel + Angular 2 / Vue.js 2
Published: 2017/01/16
Channel: Academind
Working with the Fetch API
Working with the Fetch API
Published: 2017/04/26
Channel: Google Chrome Developers
CORS-SpringBoot-Angular
CORS-SpringBoot-Angular
Published: 2017/06/06
Channel: Hitesh Bargujar
OCI Tech Lunch: Cross-Origin Resource Sharing (CORS)
OCI Tech Lunch: Cross-Origin Resource Sharing (CORS)
Published: 2017/02/24
Channel: OCI
Spring Boot CORS Cross domain requests with jQuery JavaScript
Spring Boot CORS Cross domain requests with jQuery JavaScript
Published: 2017/08/30
Channel: BASE Logic
14 Curso de Angular 2: Aplicación Full-Stack.- Cross-origin resource sharing (CORS)
14 Curso de Angular 2: Aplicación Full-Stack.- Cross-origin resource sharing (CORS)
Published: 2016/12/13
Channel: Código Fuente
Cross-origin resource sharing (CORS) com PHP e HTML
Cross-origin resource sharing (CORS) com PHP e HTML
Published: 2016/10/29
Channel: Carlos Moraes
CORS Laravel + Angular 2 Vue js 2
CORS Laravel + Angular 2 Vue js 2
Published: 2017/04/03
Channel: TuteMaster
ASP.NET Web API and Cross-Origin Resource Sharing (CORS) Support - EPC Group
ASP.NET Web API and Cross-Origin Resource Sharing (CORS) Support - EPC Group
Published: 2013/03/26
Channel: EPC Group.net
ASP NET Core -  Web API -  Enabling and Configuring CORS = Cross Origin Resource Sharing
ASP NET Core - Web API - Enabling and Configuring CORS = Cross Origin Resource Sharing
Published: 2017/05/08
Channel: Michal Ziobro
Developer Ep. 4: CORS with Amazon S3 Bucket
Developer Ep. 4: CORS with Amazon S3 Bucket
Published: 2015/05/07
Channel: What I Learned Today – Atomic Jolt
cors -toss the feathers
cors -toss the feathers
Published: 2007/06/08
Channel: esbind
Calling ASP NET Web API service in a cross domain using jQuery ajax
Calling ASP NET Web API service in a cross domain using jQuery ajax
Published: 2016/09/22
Channel: kudvenkat
James Kettle - Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSecUSA 2016
James Kettle - Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSecUSA 2016
Published: 2016/11/13
Channel: OWASP
How To Make Cross Domain Request In jQuery
How To Make Cross Domain Request In jQuery
Published: 2014/05/23
Channel: Network Group
Solving "Access-Control-Allow-Origin" in localhost NodeJS + Express
Solving "Access-Control-Allow-Origin" in localhost NodeJS + Express
Published: 2015/08/04
Channel: Clint Gh
How to enable CORS on Apache Tomcat?
How to enable CORS on Apache Tomcat?
Published: 2017/01/30
Channel: Tech Nep
Making sense of CORS using web.py
Making sense of CORS using web.py
Published: 2015/10/16
Channel: Next Day Video
CORS - Compartilhando Recursos
CORS - Compartilhando Recursos
Published: 2017/04/13
Channel: O programador
295P XSS CORS
295P XSS CORS
Published: 2016/04/12
Channel: Marc Goodman
How To Use Cross-Origin Resource Sharing with AT&T API Platform
How To Use Cross-Origin Resource Sharing with AT&T API Platform
Published: 2015/05/04
Channel: AT&T Developer Program
119.Enabling Cross Origin Requests for a RESTful Web Service_PART1
119.Enabling Cross Origin Requests for a RESTful Web Service_PART1
Published: 2017/09/23
Channel: KK JavaTutorials
BSides Columbus03 Cross Origin Resource Sharing Kung fu Aditya Balapure
BSides Columbus03 Cross Origin Resource Sharing Kung fu Aditya Balapure
Published: 2017/01/16
Channel: Adrian Crenshaw
Entenda sobre CORS - Cross Origin Resource Sharing
Entenda sobre CORS - Cross Origin Resource Sharing
Published: 2017/08/05
Channel: DevPleno
How to enable CORS in Laravel 5
How to enable CORS in Laravel 5
Published: 2017/04/20
Channel: CSoft Labs
Rails API: Setting up Cors - [003]
Rails API: Setting up Cors - [003]
Published: 2017/02/02
Channel: Codemy School
Cross-origin resource sharing Top # 7 Facts
Cross-origin resource sharing Top # 7 Facts
Published: 2015/10/29
Channel: Ganesha Jignesh
No Access-Control-Allow-Origin - CORS header Access-Control-Allow-Origin missing
No Access-Control-Allow-Origin - CORS header Access-Control-Allow-Origin missing
Published: 2017/06/12
Channel: Angularjs Examples
How to enable CORS in Azure CDN
How to enable CORS in Azure CDN
Published: 2017/02/22
Channel: Venkataratnam Rayavarapu
CORS Cross Domain Origin Sharing on Atlassian Subdoamin
CORS Cross Domain Origin Sharing on Atlassian Subdoamin
Published: 2017/09/30
Channel: SQLi Basic
IBM Streams V4.1 REST API support for Cross-Origin Resource Sharing (CORS)
IBM Streams V4.1 REST API support for Cross-Origin Resource Sharing (CORS)
Published: 2015/12/15
Channel: IBM Analytics
(Eps 18) Spring OAuth - Enable CORS
(Eps 18) Spring OAuth - Enable CORS
Published: 2015/12/07
Channel: ArtiVisi Intermedia
NEXT
GO TO RESULTS [51 .. 100]

WIKIPEDIA ARTICLE

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was served.[1] A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.[2] Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy.

CORS defines a way in which a browser and server can interact to determine whether or not it is safe to allow the cross-origin request.[3] It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. The specification for CORS was originally published as a W3C Recommendation[4] but that document is obsolete.[5] The current actively-maintained specification that defines CORS is the Fetch Living Standard.[6]

How CORS works[edit]

The CORS standard describes new HTTP headers which provide browsers and servers a way to request remote URLs only when they have permission. Although some validation and authorization can be performed by the server, it is generally the browser's responsibility to support these headers and honor the restrictions they impose.

For Ajax and HTTP request methods that can modify data (usually HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.[7]

Flowchart showing Simple and Preflight XHR.svg

Simple example[edit]

This is generally not appropriate when using the same-origin security policy. When a CORS-compatible browser attempts to make a cross-origin request:

  1. The browser sends the OPTIONS request with an Origin HTTP header. The value of this header is the domain that served the parent page. When a page from http://www.example.com attempts to access a user's data in service.example.com, the following request header would be sent to service.example.com:
    Origin: http://www.example.com
    
  2. The server at service.example.com may respond with:
    • An Access-Control-Allow-Origin (ACAO) header in its response indicating which origin sites are allowed. For example:
      Access-Control-Allow-Origin: http://www.example.com
      
    • An error page if the server does not allow the cross-origin request
    • An Access-Control-Allow-Origin (ACAO) header with a wildcard that allows all domains:
      Access-Control-Allow-Origin: *
      

A wildcard same-origin policy is appropriate when a page or API response is considered completely public content and it is intended to be accessible to everyone, including any code on any site. For example, a freely-available web font on a public hosting service like Google Fonts.

A wildcard same-origin policy is also widely and appropriately used in the object-capability model, where pages have unguessable URLs and are meant to be accessible to anyone who knows the secret.

The value of "*" is special in that it does not allow requests to supply credentials, meaning HTTP authentication, client-side SSL certificates, nor does it allow cookies to be sent.[8]

Note that in the CORS architecture, the ACAO header is being set by the external web service (service.example.com), not the original web application server (www.example.com). CORS allows the external web service to authorise the web application to use its services and does not control external services accessed by the web application. For the latter, Content Security Policy should be used (connect-src directive)...

Preflight example[edit]

When performing certain types of cross-domain Ajax requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action.

OPTIONS /
Host: service.example.com
Origin: http://www.example.com

If service.example.com is willing to accept the action, it may respond with the following headers:

Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT, DELETE

Headers[edit]

The HTTP headers that relate to CORS are

Request headers[edit]

  • Origin
  • Access-Control-Request-Method
  • Access-Control-Request-Headers

Response headers[edit]

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers

Browser support[edit]

CORS is supported by all browsers based on the following layout engines:


The following browsers are also noteworthy in their lack of CORS support:

  • Camino does not implement CORS in the 2.0.x release series because these versions are based on Gecko 1.9.0.[19]
  • As of version 0.10.2, Arora exposes WebKit's CORS-related APIs, but attempted cross-origin requests will fail.[20]

History[edit]

Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1[21] to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.[22] The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal W3C Recommendation status.

In May 2006 the first W3C Working Draft was submitted.[23] In March 2009 the draft was renamed to "Cross-Origin Resource Sharing"[24] and in January 2014 it was accepted as a W3C Recommendation.[25]

CORS vs JSONP[edit]

CORS can be used as a modern alternative to the JSONP pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. Using CORS enables a web programmer to use regular XMLHttpRequest, which supports better error handling than JSONP. On the other hand, JSONP works on legacy browsers which predate CORS support. CORS is supported by most modern web browsers. Also, while JSONP can cause cross-site scripting (XSS) issues when the external site is compromised, CORS allows websites to manually parse responses to ensure security.[3][26]

See also[edit]

References[edit]

  1. ^ a b c on July 6, 2009 by Arun Ranganathan (2009-07-06). "cross-site xmlhttprequest with CORS ✩ Mozilla Hacks – the Web developer blog". Hacks.mozilla.org. Retrieved 2012-07-05. 
  2. ^ "Same-origin policy / Cross-origin network access". MDN. 
  3. ^ a b "Cross-domain Ajax with Cross-Origin Resource Sharing". NCZOnline. Retrieved 2012-07-05. 
  4. ^ "Cross-Origin Resource Sharing". 
  5. ^ "WebAppSec Working Group Minutes". 
  6. ^ "Fetch Living Standard". 
  7. ^ "cross-site xmlhttprequest with CORS". MOZILLA. Retrieved 2012-09-05. 
  8. ^ Cross-Origin Resource Sharing. W3.org. Retrieved on 2014-04-12.
  9. ^ a b "Blink". QuirksBlog. April 2013. Retrieved 4 April 2013. 
  10. ^ "Google going its own way, forking WebKit rendering engine". Ars Technica. April 2013. Retrieved 4 April 2013. 
  11. ^ "HTTP access control (CORS) - MDN". Developer.mozilla.org. Retrieved 2012-07-05. 
  12. ^ "Gecko - MDN". Developer.mozilla.org. 2012-06-08. Retrieved 2012-07-05. 
  13. ^ "What makes Camino Special". Retrieved 2013-02-20. 
  14. ^ Tony Ross; Program Manager; Internet Explorer (2012-02-09). "CORS for XHR in IE10". MSDN. Retrieved 2012-12-14. 
  15. ^ David Honneffer, Documentation Specialist (2012-06-14). "12.00 for UNIX Changelog". Opera. Retrieved 2012-07-05. 
  16. ^ David Honneffer, Documentation Specialist (2012-04-23). "Opera Software: Web specifications support in Opera Presto 2.10". Opera.com. Retrieved 2012-07-05. 
  17. ^ "59940: Apple Safari WebKit Cross-Origin Resource Sharing Bypass". Osvdb.org. Retrieved 2012-07-05. 
  18. ^ "Microsoft Edge deverloper's guide". 
  19. ^ "HTTP Access Control in Camino • mozillaZine Forums". Forums-test.mozillazine.org. Retrieved 2012-07-05. 
  20. ^ "Issue 904 - arora - Arora providing API for CORS (Cross-Origin Resource Sharing) but fails in actual use - Cross Platform WebKit Browser - Google Project Hosting". Code.google.com. 2010-09-04. Retrieved 2012-07-05. 
  21. ^ "Voice Extensible Markup Language (VoiceXML) 2.1". W3.org. 2004-03-23. Retrieved 2012-07-05. 
  22. ^ "Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0". W3.org. Retrieved 2012-07-05. 
  23. ^ "Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0 W3C - Working Draft 17 May 2006". W3.org. Retrieved 17 August 2015. 
  24. ^ "Cross-Origin Resource Sharing - W3C Working Draft 17 March 2009". W3.org. Retrieved 17 August 2015. 
  25. ^ "Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014". W3.org. Retrieved 17 August 2015. 
  26. ^ "When can I use... Cross Origin Resource Sharing". caniuse.com. Retrieved 2012-07-12. 

External links[edit]

Disclaimer

None of the audio/visual content is hosted on this site. All media is embedded from other sites such as GoogleVideo, Wikipedia, YouTube etc. Therefore, this site has no control over the copyright issues of the streaming media.

All issues concerning copyright violations should be aimed at the sites hosting the material. This site does not host any of the streaming media and the owner has not uploaded any of the material to the video hosting servers. Anyone can find the same content on Google Video or YouTube by themselves.

The owner of this site cannot know which documentaries are in public domain, which has been uploaded to e.g. YouTube by the owner and which has been uploaded without permission. The copyright owner must contact the source if he wants his material off the Internet completely.

Powered by YouTube
Wikipedia content is licensed under the GFDL and (CC) license