0 Shares 4280 Views

A technical introduction to CORS (Cross-Origin Resource Sharing)

Nowadays, malicious hackers attempt to violate the elements of privacy and accessibility, which are the integrity of information security, by taking advantage of security vulnerabilities in web-based systems.

However, there is a method for those who want to share resources between different origins, and it’s called CORS (Cross-Origin Resource Sharing)

What is CORS (Cross-Origin Resource Sharing)?

CORS is a mechanism that allows resources sharing between the origin, the provider, and requester servers. This determines the access permissions of the client origin by the source provider. As a result, the specified access permissions information is also sent to the browser.

These resources are shared with HTTP Request, HTTP Response, and HTTP methods on a different inbound web browser.

Normally, according to SOP, resources cannot be exchanged between websites with different origins. This is where CORS makes our work easier.

Now in order to understand CORS, I will first explain the concept of ‘the Same Origin Policy (SOP)’.

1) Same-Origin Policy

For the sake of web security, browsers generally do not allow resources sharing between different origins.

The SOP, which is developed to ensure web security, is a set of rules that allow data exchange of the content of the web page in the origins of the same domain.

If the user of a website wants to access the content of the other website, they must be in the same origin.

What are the requirements for being on the same origin?

In order to be in the same origin; the domain, the protocol type, and port number should be checked as indicated in the table below.

If the port number, protocol type, and domain are the same, these resources are of the same origin.

Domain :

www.medianova.com

Protocol number :

HTTP or HTTPS

Port number:

80/443

The 4 properties given in the table below show that the sources are in a different origin.

Different Domain Origin

www.deneme.com

www.medianova.com

Different Subdomain Origin

www.medianova.com

www.abc.medianova.com

Different Port

www.medianova.com:80

www.medianova.com:443

Different Protocol

https://medianova.com

https://medianova.com

2) What is the purpose of SOP?

It provides access to resources that are only in the same origin in the browser, eliminating the permission of the attacker to access critical information, such as HTTP session data.

3) CORS (Cross-Origin Resource Sharing)

CORS, the Originals Resource Sharing, allows HTTP requests for sharing resources (Cookie, DOM, Storage, -and Javascript Namespace) that have two different domain addresses on browsers. This is the standard developed by W3C, which makes operations quick and easy.

CORS chooses whether or not origin requests are made.

There are two different request types. These are:

a) Simple Request

The simple request is the request type that contains Content Type information in response to requesting the use of GET, POST, HEAD methods in client CORS request.

Thanks to the response sent from the server, the allowed origin information is kept in the ında Access Control Allow Origin Control header.

b) Preflight Request

In this type of request, the client makes a preliminary request using methods such as GET, POST, HEAD, and OPTIONS.

4) HTTP Methods

  • POST
  • GET
  • HEAD

CORS is supported by almost all browsers.

While SOP does not allow two different origin resources to be protected from security vulnerabilities, CORS helps us as an option in this case.

5) Features of CORS

CORS protects users’ session data according to SOP.

CORS is more free and functional than SOP.

CORS is not a safety feature compared to SOP.

CORS is a method that allows HTTP requests while SOP is sharing resources between different websites, but prevents HTTP response information from reading.

As a result, we agree that SOP rules are more stringent than CORS!

6) How CORS Works:
CORS how it works

  • Suppose that you need the trial.js file in the abc.com domain at xyz.com domain.
  • Let’s assume that the user has made an HTTP request to the xyz.com domain using the GET method.
  • xyz.com sends the HTTP response to the client.
  • When the browser receives the response, it requests the trial.js file in the abc.com domain.
  • abc.com sends the trial.js file to the client. Specifies the access permission for originals in the Access-Control-Allow-Origin field in the HTTP Response Header.

Two different responses can be returned in Access Control Allow Origin. These are :

a)If it is “*” in Access-Control-Allow-Origin:

Permits all originals.

b) If it is “xyz.com” Access-Control-Allow-Origin:

Allows only ’xyz.com’ origin.

7) HTTP Header

The HTTP Header is grouped by its contents.

We can list the HTTP header information associated with CORS as follows.

4.1) Request Header

It is the header containing the request information made by the client with the HTTP protocol on the browsers.

  • Origin: Holds the URL address information that the client requests for CORS.

     Origin: https://www.medianova.com

  • Access-Control Request Method: Saves the information if the GET, POST, HEAD, OPTIONS methods are used or not.

Access-Control Request Method: GET

  • Access Control Request Headers: Keeps the custom header information of the client. In this way, the server requests preflight requests for which HTTP headers to use.

4.2) Response Header

The header that contains the HTTP response information that the client receives from the server on the browser.

  • Access Control Allow Origin
  • Access Control Allow Credentials
  • Access Control Expose Headers
  • Access Control Max Age
  • Access Control Allow Method

8) Which Browsers support CORS?

Bellow, you can find the list of browsers and versions are supported by CORS.

cross-origin resource sharing

To get more technical support, make sure to get in touch with our team through support@medianova.com or call our support team on +90 212 275 5456 for more information about our services.

Free trial CDN

You may be interested

The Ultimate CDN (Content Delivery Network) Guide
CDN
3871 views
CDN
3871 views

The Ultimate CDN (Content Delivery Network) Guide

Nadia Benslimane - August 3, 2020

The Ultimate CDN Guide- Everything About Content Delivery Network You probably know what CDN (Content Delivery Network) stands for. You may also be aware of its full definition,…

The Essential CDN Glossary
CDN
8933 views
CDN
8933 views

The Essential CDN Glossary

Nadia Benslimane - November 21, 2019

Why Have We Decided To Create a CDN Glossary? Whether you are new to the world of CDN, or have been involved in it for years, there…

How CDN Providers are Meeting Surging OTT Demand in 2021
Uncategorized
70 views
Uncategorized
70 views

How CDN Providers are Meeting Surging OTT Demand in 2021

Tushar Sonal - May 10, 2021

The OTT, or Over-the-Top video content is a trend that’s been growing phenomenally over the last few years.  According to a study by the Allied Market Research,…

The State of Software-Defined Storage In 2021
Technology
188 views
Technology
188 views

The State of Software-Defined Storage In 2021

Tushar Sonal - April 22, 2021

Today, companies of all sizes are looking to invest in setting up state of art data architecture, to manage the end to end enterprise data workflow -…

Why Having a Great Place To Work Is Important In The Digital Era
HR
170 views
HR
170 views

Why Having a Great Place To Work Is Important In The Digital Era

Tushar Sonal - April 19, 2021

Having a Great Place To Work In The Digital Era The Covid19 pandemic has turned businesses all over the world upside down. The normal business environment, and…

Most from this category