jspωiki
Cross Origin Resource Sharing

Overview[1]#

Cross Origin Resource Sharing (CORS) is a protocol that enables scripts running on a browser client to interact with resources from a different Web Origin (origin).

Cross Origin Resource Sharing is useful because, thanks to the Same Origin Policy followed by XMLHttpRequest and Fetch API, JavaScript can only make calls to URLs that live on the same Web Origin as the location where the script is running. For example, if a JavaScript app wishes to make an AJAX call to an API running on a different DNS Domain, it would be blocked from doing so thanks to the Same Origin Policy.

Cross Origin Resource Sharing is a mechanism that uses additional HTTP Header Fields to tell a browser to let a web application running at one Web Origin have permission to access selected resources from a server at a different Web Origin.

If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the Cross Origin Resource Sharing mechanism described by the Cross Origin Resource Sharing (e.g., specifying Access-Control-Allow-Origin: http://example.org as response header), which would allow that resource to be fetched cross-origin from http://example.org.

Another example, if you're running a React SPA that makes calls to an API backend running on a different DNS Domain. Web fonts also rely on CORS to work.

Cross Origin Resource Sharing specification from WC3 has been updated by the Fetch API from WHATWG

More Information#

There might be more information for this subject on one of the following: