Web Security Web Security

Cross-Origin Resource Sharing (CORS)

Learning Paths:
Check out a free preview of the full Web Security course:
The "Cross-Origin Resource Sharing (CORS)" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike reviews Cross-Origin Resource Sharing, which allows servers a mechanism for restricting resources requested from another site hosted outside the domain from which the first resource was served.

Get Unlimited Access Now

Transcript from the "Cross-Origin Resource Sharing (CORS)" Lesson

>> Mike North: So that's a second best practice. A third best practice is to set your CORS headers properly. So CORS stands for cross-origin resource sharing, and this is what basically permits browsers to allow you to send a request from one domain to another, from one origin to another. It involves, often times, what is called an options preflight request.

[00:00:27] So think of it as, if you're a web browser, if you're a modern browser, you basically send a low overhead small request to the server saying I am planning on asking you for data in a moment. I'm planning on passing these headers along when I ask you for data and I'm going to use this http verb post.

[00:00:48] So that's this first section of headers here. And that request it has no body. It's just headers. It's like a head request. When that response comes back, basically, the server would say, yes, I see you're coming from the following origin, foo.example. And I allow not only the post request you're thinking about making but the following other types of requests.

[00:01:14] It absolutely fine to send me the authorization and the content type headers that you mentioned before. And, by the way, you don't have to ask me again for a while. Is that an hour and seconds? Anyway, you don't have to ask me for a while, for that period of time, however much time that is to.

[00:01:33] You kind of, remember this and follow my instructions for the time being and just go ahead and make your requests. And then finally the browser can say, okay I've verified this. Now I'm gonna actually initiate the main request. All of this happens within the browser's internals. It is not something that your app sees or has control over but if you're making a cross-origin request you may see these options preflight happen.