Difference between revisions of "Cross-origin resource sharing"

From Wiki @ Karl Jones dot com
Jump to: navigation, search
Line 5: Line 5:
 
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain.  
 
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain.  
  
However, embedded web fonts and [[AJAX]] requests have traditionally been limited to accessing the same domain as the parent web page (as per the [[same-origin security policy]]).  
+
However, embedded web fonts and [[Ajax (programming)|Ajax] requests have traditionally been limited to accessing the same domain as the parent web page (as per the [[same-origin policy]]).  
  
"Cross-domain" AJAX requests are forbidden by default because of their ability to perform advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce [[cross-site scripting] security issues.
+
"Cross-domain" Ajax requests are forbidden by default because of their ability to perform advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce [[cross-site scripting]] security issues.
  
 
CORS defines a way in which a browser and server can interact to safely determine whether or not to allow the cross-origin request.
 
CORS defines a way in which a browser and server can interact to safely determine whether or not to allow the cross-origin request.
Line 17: Line 17:
 
== See also ==
 
== See also ==
  
 +
* [[Ajax (programming)]]
 +
* [[Cross-site scripting]]
 
* [[JSONP]]
 
* [[JSONP]]
 
* [[Cross-document messaging]]
 
* [[Cross-document messaging]]
 +
* [[Same-origin policy]]
  
 
== External Links ==
 
== External Links ==

Revision as of 17:30, 24 April 2016

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated.

Description

A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain.

However, embedded web fonts and [[Ajax (programming)|Ajax] requests have traditionally been limited to accessing the same domain as the parent web page (as per the same-origin policy).

"Cross-domain" Ajax requests are forbidden by default because of their ability to perform advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce cross-site scripting security issues.

CORS defines a way in which a browser and server can interact to safely determine whether or not to allow the cross-origin request.

It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests.

It is a recommended standard of the W3C.

See also

External Links