Definition

Cross-origin resource sharing (CORS) is a standard for accessing web resources on different domains. CORS allows web scripts to interact more openly with content outside of the original domain, leading to better integration between web services.

Graphic for CROS by MaxCDN.

Overview

To prevent websites from tampering with each other, web browsers implement a security measure known as the same-origin policy. The same-origin policy lets resources (such as JavaScript) interact with resources from the same domain, but not with resources from a different domain. This provides security for the user by preventing abuse, such as running a script that reads the password field on a secure website.

In cases where cross-domain scripting is desired, CORS allows web developers to work around the same-origin policy. CORS adds HTTP headers which instruct web browsers on how to use and manage cross-domain content. The browser then allows or denies access to the content based on its security configuration.

How CORS Works

When a browser executes a script that references a resource on another domain, it requests the content directly from the second domain. The second domain determines whether or not to serve the content by validating the first domain, which is included as part of the request. The second domain then returns either the content or an error message back to the browser, bypassing the first domain entirely.

Step-by-step, here’s how CORS works:

  1. A user opens a resource on a webpage which references another domain. This is usually a JavaScript file, but can include fonts and CSS resources.
  2. The user’s browser creates a connection to the second domain, adding an “Origin” HTTP header to the request which contains the first domain.
  3. The second domain replies with an “Access-Control-Allow-Origin” HTTP header which lists the domains allowed to make CORS requests. A wildcard (“*”) allows all domains to make requests.
  4. If the first domain is allowed to make the request, the second domain responds with the requested content.

The Access-Control-Allow-Origin header is defined in the second domain’s server configuration. If the header doesn’t contain wildcards and the first domain isn’t explicitly included, the browser displays an error message.

Example of CORS

CORS is an essential feature of online storage services such as Amazon S3. Service providers configure S3 to allow CORS requests from their website’s domain. When a user accesses the website and runs the script, their browser makes a request to S3. Since S3 is configured to allow the domain, the request is completed and the content is delivered to the browser.

More complicated cross-domain requests use “preflighting” to validate a request before the request is actually performed. Preflighted requests include custom HTTP headers which help the server determine whether or not a request is valid. Preflighted requests help service providers better protect sensitive information from users who might abuse CORS requests.

Benefits of CORS

CORS makes it easier for service providers to distribute content to users while adding interoperability to online services.

  • Users and enterprises experience greater interoperability between services, allowing otherwise independent web services to cooperate and share resources.
  • Enterprises experience easier and more efficient resource management, distributing web content across services in different domains.

Conclusion

Hackers are always looking for ways to undermine the security of the web. As of 2007, cross-site scripting, one of the most popular ways of bypassing the same origin policy, accounted for 84% of all security vulnerabilities documented by Symantec. CORS gives service providers the freedom to interconnect web services without making their users vulnerable to attack.

CORS makes it easy for web services to quickly and easily integrate without exposing their users.