Site icon Doron Katz

TPM Tech Talk: What is Cross-Origin Resource Sharing (CORS)?

Cross-Origin Resource Sharing (CORS) is a web technology that allows browsers to access resources from different domains in a controlled and secure way. CORS is useful for web applications that need to interact with external services or APIs, such as fetching data, loading fonts, or displaying images. In this article, we will explain how CORS works, what are the benefits and risks of using it, and how to implement it correctly on your web server.

How CORS works

CORS is based on a set of HTTP headers that are exchanged between the browser and the server hosting the cross-origin resource. The browser initiates a CORS request by sending an Origin header that indicates the origin of the web page that is requesting the resource. The server responds with an Access-Control-Allow-Origin header that specifies which origins are allowed to access the resource. If the origin of the web page matches the value of the header, the browser grants access to the resource. Otherwise, the browser blocks the request and throws an error.

There are two types of CORS requests: simple and preflighted. Simple requests are those that use the GET, HEAD, or POST methods, and have no custom headers or content types. Preflighted requests are those that use other methods (such as PUT, DELETE, or PATCH), or have custom headers or content types (such as application/json or text/xml). Preflighted requests require an extra step before the actual request, where the browser sends an OPTIONS request to the server with the Access-Control-Request-Method and Access-Control-Request-Headers headers, asking for permission to perform the actual request. The server responds with the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers, indicating which methods and headers are allowed. If the actual request matches the preflight response, the browser proceeds with the request. Otherwise, the browser aborts the request and throws an error.

Benefits and risks of CORS

CORS is a powerful feature that enables web applications to communicate with external services or APIs, without relying on server-side proxies or JSONP techniques. This can improve the performance, scalability, and security of web applications, as well as provide a better user experience. However, CORS also introduces some potential risks, especially if it is not configured or implemented correctly. Some of the common CORS vulnerabilities are:

How to implement CORS correctly

To implement CORS correctly on your web server, you should follow these best practices:

CORS is a useful and powerful web technology that can enable cross-origin communication between web applications and external services or APIs. However, it also requires careful configuration and implementation to avoid security risks and vulnerabilities. By following the best practices described in this article, you can implement CORS correctly on your web server and enjoy the benefits of CORS without compromising the security of your web application.

Source: Conversation with Bing, 12/30/2023
(1) Cross-Origin Resource Sharing (CORS) – HTTP | MDN. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.
(2) Cross-origin resource sharing (CORS) – PortSwigger. https://portswigger.net/web-security/cors.
(3) Cross-origin resource sharing – Wikipedia. https://en.wikipedia.org/wiki/Cross-origin_resource_sharing.
(4) Cross-Origin Resource Sharing – IBM. https://www.ibm.com/docs/en/integration-bus/10.0?topic=overview-cross-origin-resource-sharing.
(5) undefined. https://domain-a.com.
(6) undefined. https://domain-b.com/data.json.

Exit mobile version