In other words, CORS allows a web application running on www.site1.com to securely access restricted resources on www.site2.com.
How CORS worksThe CORS standard describes a set of HTTP headers that provide browsers with a way to request different origins only when they have permission to do so. Although the server can perform some validation and authorization, it is the browser’s responsibility to process these CORS headers and to comply with the restrictions that they impose.
For some requests (other than GET and HEAD methods), the browser may request permission from the server by sending a special "preflight" request before sending the actual request. Preflight requests are made by sending an HTTP OPTIONS request with special HTTP headers that contain the origin server address and the actual request method.
The server may send a response and indicate that the origin (https://reqbin.com), request method (POST) and request headers (content-type) are acceptable.
If the server indicates that the request is acceptable, the browser sends the actual request to the server.
And the server response.
Servers may also notify clients whether "credentials" (Cookies and HTTP Authentication data) should be sent with requests.
CORS Request Headers
- Origin: indicates the origin server name (the script was loaded from).
- Access-Control-Request-Method: the actual HTTP request method.
- Access-Control-Request-Headers: the actual HTTP request headers that will be used.
CORS Response Headers
- Access-Control-Allow-Origin: specifies the origin server that can access the resource or "*".
- Access-Control-Allow-Credentials: indicates whether the actual request can be made using credentials.
- Access-Control-Expose-Headers: lists of the headers that browsers are allowed to access.
- Access-Control-Max-Age: specifies for how long the response of a preflight request can be cached (in seconds).
- Access-Control-Allow-Methods: list of allowed methods for accessing the resource.
- Access-Control-Allow-Headers: specifies HTTP headers that can be used for the actual request.
ConclusionCORS protects thin web fabric. You can use the CORS mechanism by adding the necessary Access-Control- * headers to the server response. Using CORS is the decision of the site owners, and it is controlled by the configuration of the webserver and your server code.
CORS is supported by most modern web browsers. As more app code moves to the client, the need for CORS only grows.