CORS
Cross-Origin Resource Sharing (CORS) is a mechanism that allows cross-domain communication and lets a browser securely access resources from a different domain.
By default, browser-based programming languages, such as JavaScript, can access resources only from the same domain. But with CORS, you can overcome this limitation and manage resources across domains.
Here are the CORS headers you can configure to make that possible.
|
CORS Header |
Purpose |
|---|---|
|
Access-Control-Allow-Origin |
Contains a comma-separated list of trusted origins, or domains, that a client application can get resources from. |
|
Access-Control-Max-Age |
Specifies how long to store the results of a request in the preflight result cache. |
|
Access-Control-Allow-Methods |
Contains a comma-separated list of HTTP methods allowed in a request. |
|
Access-Control-Allow-Headers |
Contains a comma-separated list of HTTP headers allowed in a request. |
|
Access-Control-Allow-Credentials |
Specifies whether a client application can send user credentials with a request. |
Example
A client application retrieves resource X from server
A, which is what the application runs on. The client application then
makes an HTTP request to get resource Y from server B. For this cross-server
request to work, you must configure the Access-Control-Allow-Origin header in server B. Otherwise, the request fails and we end up with
an error message.