Cross-Origin Resource Sharing

Cross - Origin Resource Sharing ( CORS ) is a mechanism to allow web browsers or other Web client cross-origin requests. Requests of this type are normally forbidden by the same- origin policy (SOP). CORS is a compromise in favor of greater flexibility on the Internet, taking into account the highest possible safety measures.

Operation

The restrictions that are imposed by the SOP may be waived for certain clients to that server, the request is sent to.

In order for the request to a web page, for example, http://foo.example, to a server in a different domain, eg http://bar.example, can be carried out successfully, the server must allow in its response to access through appropriate HTTP headers. The server sends the following header so it allows requests from sides of said server, and there is a cross-origin request is successful. Requests from other servers because of the SOP not successfully run.

HTTP header of the server (for example ):

Other Access Control -* headers can further restrict the access behavior and thus increase the security in order to protect the server from unauthorized requests.

Browser Support

CORS is supported by the following rendering engines:

• Gecko 1.9.1 ( Mozilla Firefox 3.5 , SeaMonkey 2.0 ).
• WebKit (Safari 4 , Google Chrome 3 )
• MSHTML / Trident 4.0 ( Internet Explorer 8 provides partial support by the XDomainRequest object., Internet Explorer 10 is then CORS support by XMLHttpRequests. )
• Presto 2.10.232 ( Opera 12 )

CORS vs. JSONP

CORS can be used as an alternative for JSONP. While JSONP only supports GET requests, CORS also provides support for other HTTP requests. With the use of CORS web developers it is possible to use normal XMLHttpRequests offer better error handling as JSONP. On the other hand JSONP is also supported by browsers that do not offer CORS support.