0 Shares 2741 Views

A technical introduction to CORS (Cross-Origin Resource Sharing)

Nowadays, malicious hackers attempt to violate the elements of privacy and accessibility, which are the integrity of information security, by taking advantage of security vulnerabilities in web-based systems.

However, there is a method for those who want to share resources between different origins, and it’s called CORS (Cross-Origin Resource Sharing)

What is CORS (Cross-Origin Resource Sharing)?

CORS is a mechanism that allows resources sharing between the origin, the provider, and requester servers. This determines the access permissions of the client origin by the source provider. As a result, the specified access permissions information is also sent to the browser.

These resources are shared with HTTP Request, HTTP Response, and HTTP methods on a different inbound web browser.

Normally, according to SOP, resources cannot be exchanged between websites with different origins. This is where CORS makes our work easier.

Now in order to understand CORS, I will first explain the concept of ‘the Same Origin Policy (SOP)’.

1) Same-Origin Policy

For the sake of web security, browsers generally do not allow resources sharing between different origins.

The SOP, which is developed to ensure web security, is a set of rules that allow data exchange of the content of the web page in the origins of the same domain.

If the user of a website wants to access the content of the other website, they must be in the same origin.

What are the requirements for being on the same origin?

In order to be in the same origin; the domain, the protocol type, and port number should be checked as indicated in the table below.

If the port number, protocol type, and domain are the same, these resources are of the same origin.

Domain :

www.medianova.com

Protocol number :

HTTP or HTTPS

Port number:

80/443

The 4 properties given in the table below show that the sources are in a different origin.

Different Domain Origin

www.deneme.com

www.medianova.com

Different Subdomain Origin

www.medianova.com

www.abc.medianova.com

Different Port

www.medianova.com:80

www.medianova.com:443

Different Protocol

https://medianova.com

https://medianova.com

2) What is the purpose of SOP?

It provides access to resources that are only in the same origin in the browser, eliminating the permission of the attacker to access critical information, such as HTTP session data.

3) CORS (Cross-Origin Resource Sharing)

CORS, the Originals Resource Sharing, allows HTTP requests for sharing resources (Cookie, DOM, Storage, -and Javascript Namespace) that have two different domain addresses on browsers. This is the standard developed by W3C, which makes operations quick and easy.

CORS chooses whether or not origin requests are made.

There are two different request types. These are:

a) Simple Request

The simple request is the request type that contains Content Type information in response to requesting the use of GET, POST, HEAD methods in client CORS request.

Thanks to the response sent from the server, the allowed origin information is kept in the ında Access Control Allow Origin Control header.

b) Preflight Request

In this type of request, the client makes a preliminary request using methods such as GET, POST, HEAD, and OPTIONS.

4) HTTP Methods

  • POST
  • GET
  • HEAD

CORS is supported by almost all browsers.

While SOP does not allow two different origin resources to be protected from security vulnerabilities, CORS helps us as an option in this case.

5) Features of CORS

CORS protects users’ session data according to SOP.

CORS is more free and functional than SOP.

CORS is not a safety feature compared to SOP.

CORS is a method that allows HTTP requests while SOP is sharing resources between different websites, but prevents HTTP response information from reading.

As a result, we agree that SOP rules are more stringent than CORS!

6) How CORS Works:
CORS how it works

  • Suppose that you need the trial.js file in the abc.com domain at xyz.com domain.
  • Let’s assume that the user has made an HTTP request to the xyz.com domain using the GET method.
  • xyz.com sends the HTTP response to the client.
  • When the browser receives the response, it requests the trial.js file in the abc.com domain.
  • abc.com sends the trial.js file to the client. Specifies the access permission for originals in the Access-Control-Allow-Origin field in the HTTP Response Header.

Two different responses can be returned in Access Control Allow Origin. These are :

a)If it is “*” in Access-Control-Allow-Origin:

Permits all originals.

b) If it is “xyz.com” Access-Control-Allow-Origin:

Allows only ’xyz.com’ origin.

7) HTTP Header

The HTTP Header is grouped by its contents.

We can list the HTTP header information associated with CORS as follows.

4.1) Request Header

It is the header containing the request information made by the client with the HTTP protocol on the browsers.

  • Origin: Holds the URL address information that the client requests for CORS.

     Origin: https://www.medianova.com

  • Access-Control Request Method: Saves the information if the GET, POST, HEAD, OPTIONS methods are used or not.

Access-Control Request Method: GET

  • Access Control Request Headers: Keeps the custom header information of the client. In this way, the server requests preflight requests for which HTTP headers to use.

4.2) Response Header

The header that contains the HTTP response information that the client receives from the server on the browser.

  • Access Control Allow Origin
  • Access Control Allow Credentials
  • Access Control Expose Headers
  • Access Control Max Age
  • Access Control Allow Method

8) Which Browsers support CORS?

Bellow, you can find the list of browsers and versions are supported by CORS.

cross-origin resource sharing

To get more technical support, make sure to get in touch with our team through support@medianova.com or call our support team on +90 212 275 5456 for more information about our services.

Free trial CDN

You may be interested

The Ultimate CDN (Content Delivery Network) Guide
CDN
1649 views
CDN
1649 views

The Ultimate CDN (Content Delivery Network) Guide

Nadia Benslimane - August 3, 2020

The Ultimate CDN Guide- Everything About CDN You probably know what CDN (Content Delivery Network) stands for. You may also be aware of its full definition, but…

The Essential CDN Glossary
CDN
7943 views
CDN
7943 views

The Essential CDN Glossary

Nadia Benslimane - November 21, 2019

Why Have We Decided To Create a CDN Glossary? Whether you are new to the world of CDN, or have been involved in it for years, there…

E-commerce API Caching And Mobile Apps (Why You Need API Caching)
CDN
93 views
CDN
93 views

E-commerce API Caching And Mobile Apps (Why You Need API Caching)

Tushar Sonal - September 18, 2020

E-commerce API Caching And Mobile Apps Nowadays, it is typical for e-commerce platforms to use several different APIs to deliver wide-ranging functionality to their visitors. Application Programming…

The Right Way To Build Your Own CDN: Getting Started
CDN
220 views
CDN
220 views

The Right Way To Build Your Own CDN: Getting Started

Tushar Sonal - September 7, 2020

Here Is The Right Way To Build Your Own CDN Today, users expect fast and seamless website experiences. The performance needs to be superb and smooth. Businesses…

Medianova’s new PoP has been activated in Riyadh- Saudi Arabia
CDN
294 views
CDN
294 views

Medianova’s new PoP has been activated in Riyadh- Saudi Arabia

Nadia Benslimane - September 4, 2020

Medianova’s launched a new PoP  Saudi Arabia and Here is What You Need To Know Already present in [cgv countries] countries, Medianova now puts its footprint in…

Most from this category

The Ultimate CDN (Content Delivery Network) Guide
CDN
1649 views
1649 views

The Ultimate CDN (Content Delivery Network) Guide

Nadia Benslimane - August 3, 2020
The Essential CDN Glossary
CDN
7943 views
7943 views

The Essential CDN Glossary

Nadia Benslimane - November 21, 2019
This is WebP and This How To Use It
CDN
1168 views
1168 views

This is WebP and This How To Use It

Tushar Sonal - August 13, 2020