0 Shares 4815 Views

A technical introduction to CORS (Cross-Origin Resource Sharing)

Nowadays, malicious hackers attempt to violate the elements of privacy and accessibility, which are the integrity of information security, by taking advantage of security vulnerabilities in web-based systems.

However, there is a method for those who want to share resources between different origins, and it’s called CORS (Cross-Origin Resource Sharing)

What is CORS (Cross-Origin Resource Sharing)?

CORS is a mechanism that allows resources sharing between the origin, the provider, and requester servers. This determines the access permissions of the client origin by the source provider. As a result, the specified access permissions information is also sent to the browser.

These resources are shared with HTTP Request, HTTP Response, and HTTP methods on a different inbound web browser.

Normally, according to SOP, resources cannot be exchanged between websites with different origins. This is where CORS makes our work easier.

Now in order to understand CORS, I will first explain the concept of ‘the Same Origin Policy (SOP)’.

1) Same-Origin Policy

For the sake of web security, browsers generally do not allow resources sharing between different origins.

The SOP, which is developed to ensure web security, is a set of rules that allow data exchange of the content of the web page in the origins of the same domain.

If the user of a website wants to access the content of the other website, they must be in the same origin.

What are the requirements for being on the same origin?

In order to be in the same origin; the domain, the protocol type, and port number should be checked as indicated in the table below.

If the port number, protocol type, and domain are the same, these resources are of the same origin.

Domain :

www.medianova.com

Protocol number :

HTTP or HTTPS

Port number:

80/443

The 4 properties given in the table below show that the sources are in a different origin.

Different Domain Origin

www.deneme.com

www.medianova.com

Different Subdomain Origin

www.medianova.com

www.abc.medianova.com

Different Port

www.medianova.com:80

www.medianova.com:443

Different Protocol

https://medianova.com

https://medianova.com

2) What is the purpose of SOP?

It provides access to resources that are only in the same origin in the browser, eliminating the permission of the attacker to access critical information, such as HTTP session data.

3) CORS (Cross-Origin Resource Sharing)

CORS, the Originals Resource Sharing, allows HTTP requests for sharing resources (Cookie, DOM, Storage, -and Javascript Namespace) that have two different domain addresses on browsers. This is the standard developed by W3C, which makes operations quick and easy.

CORS chooses whether or not origin requests are made.

There are two different request types. These are:

a) Simple Request

The simple request is the request type that contains Content Type information in response to requesting the use of GET, POST, HEAD methods in client CORS request.

Thanks to the response sent from the server, the allowed origin information is kept in the ında Access Control Allow Origin Control header.

b) Preflight Request

In this type of request, the client makes a preliminary request using methods such as GET, POST, HEAD, and OPTIONS.

4) HTTP Methods

  • POST
  • GET
  • HEAD

CORS is supported by almost all browsers.

While SOP does not allow two different origin resources to be protected from security vulnerabilities, CORS helps us as an option in this case.

5) Features of CORS

CORS protects users’ session data according to SOP.

CORS is more free and functional than SOP.

CORS is not a safety feature compared to SOP.

CORS is a method that allows HTTP requests while SOP is sharing resources between different websites, but prevents HTTP response information from reading.

As a result, we agree that SOP rules are more stringent than CORS!

6) How CORS Works:
CORS how it works

  • Suppose that you need the trial.js file in the abc.com domain at xyz.com domain.
  • Let’s assume that the user has made an HTTP request to the xyz.com domain using the GET method.
  • xyz.com sends the HTTP response to the client.
  • When the browser receives the response, it requests the trial.js file in the abc.com domain.
  • abc.com sends the trial.js file to the client. Specifies the access permission for originals in the Access-Control-Allow-Origin field in the HTTP Response Header.

Two different responses can be returned in Access Control Allow Origin. These are :

a)If it is “*” in Access-Control-Allow-Origin:

Permits all originals.

b) If it is “xyz.com” Access-Control-Allow-Origin:

Allows only ’xyz.com’ origin.

7) HTTP Header

The HTTP Header is grouped by its contents.

We can list the HTTP header information associated with CORS as follows.

4.1) Request Header

It is the header containing the request information made by the client with the HTTP protocol on the browsers.

  • Origin: Holds the URL address information that the client requests for CORS.

     Origin: https://www.medianova.com

  • Access-Control Request Method: Saves the information if the GET, POST, HEAD, OPTIONS methods are used or not.

Access-Control Request Method: GET

  • Access Control Request Headers: Keeps the custom header information of the client. In this way, the server requests preflight requests for which HTTP headers to use.

4.2) Response Header

The header that contains the HTTP response information that the client receives from the server on the browser.

  • Access Control Allow Origin
  • Access Control Allow Credentials
  • Access Control Expose Headers
  • Access Control Max Age
  • Access Control Allow Method

8) Which Browsers support CORS?

Bellow, you can find the list of browsers and versions are supported by CORS.

cross-origin resource sharing

To get more technical support, make sure to get in touch with our team through support@medianova.com or call our support team on +90 212 275 5456 for more information about our services.

Free trial CDN

You may be interested

The Ultimate CDN (Content Delivery Network) Guide
CDN
4488 views
CDN
4488 views

The Ultimate CDN (Content Delivery Network) Guide

Nadia Benslimane - August 3, 2020

The Ultimate CDN Guide- Everything About Content Delivery Network You probably know what CDN (Content Delivery Network) stands for. You may also be aware of its full definition,…

The Essential CDN Glossary
CDN
9258 views
CDN
9258 views

The Essential CDN Glossary

Nadia Benslimane - November 21, 2019

Why Have We Decided To Create a CDN Glossary? Whether you are new to the world of CDN, or have been involved in it for years, there…

How CDN supports the Travel and Hospitality Business
CDN
226 views
CDN
226 views

How CDN supports the Travel and Hospitality Business

Tushar Sonal - July 28, 2021

Travel and Hospitality are making big waves, with people thronging to popular tourist spots in droves as the Covid19 recedes. With this shift towards the online sphere,…

A Story About The Battle of Logging
CDN
270 views
CDN
270 views

A Story About The Battle of Logging

Elif Ak - July 12, 2021

Networking and computing systems generate a deluge of logs in seconds. Analyzing these voluminous logs without human interference plays a crucial role in autonomous management. Just as…

AVIF: All You Need To Know About This New Image File Format
New Features
466 views
New Features
466 views

AVIF: All You Need To Know About This New Image File Format

Nilgün Ünsal - June 25, 2021

AVIF: The New Image Format Today, everyone has thousands of pictures on their phones and computers. In e-commerce or fashion sites, this number reaches up to millions.…

Most from this category