Even though one might not notice it, the web pages you visit make frequent requests to stack resources like pictures, textual styles, and more, from a wide range of spots from the Internet. In the event that these solicitations for resources go unchecked, the security of the browser might be in danger. For instance, your program might be liable to hacking, or your browser may aimlessly download noxious code. Therefore, numerous advanced programs follow security approaches to mitigate such dangers.

What is CORS (Cross-Origin Resource Sharing)? 

Cross-Origin Resource Sharing (CORS) is an instrument that utilizes extra HTTP headers to advise browsers to give a web application running at one end, access to chosen assets from an alternate starting point. A web application executes a cross-starting point HTTP demand when it demands an asset that has alternate inception (space, convention, or port) from its own.

CORS is a security policy that has been declared by W3C on how systems should communicate between different domains. These set of rules allow the client-server communication between the same domains & restricts cross-origin communications to a few techniques.

While working with the REST APIs or web applications, we all might have come across certain errors in browser console namely, “request blocked by CORS policy” or “Access-Control-Allow-Origin”. These are called CORS errors and below is the elaborate explanation regarding the same.

CORS is applied to which requests?

CORS is applied to requests when an Origin header is included in the request. The origin is the protocol, host, and port that is making the request. This includes REST API calls, accessing cross-origin assets (templates, scripts, images, style sheets) via JavaScript. It is not applied to all resources.

What is considered cross-origin?

The Web Browser, Postman, Advanced REST Client are few clients we could be using for development. The Postman & Advanced REST Client won’t raise a CORS error because these have special headers configured to bypass CORS. For our web browser, let’s consider an example to understand better,

If I have opened www.abc.com in my browser, now below domains would be considered as cross-origin for this client,

www.xyz.com (basically any other domain)

abc.com

https://abc.com

http://abc.com

Here, we see that in spite of being on the same domain, some web applications might face CORS errors because the domain is not stabilized to a single base URL. To avoid these errors, all application servers must have domain stabilized with forced redirection using htaccess rules.

How to configure CORS in our applications?

CORS is a policy that protects the application from many security threats like CSRF. It does not protect the origin application but site receiving cross-origin requests. Therefore, it’s up to the server to allow certain origins.

The server could be configured to allow access to specified domains by adding Access-Control-Allow-Origin: * headers to the request. Apart from that, there are some other CORS headers as well which provide further restrictions on request methods, credentials & preflight.

Since the CORS mechanism posts no restrictions from the server end but only passes the headers containing allowed origins to preflight requests, the client is required to take care of blocking these cross-site requests when it detects authorized origin. All trusted browsers have CORS implemented. However, it could be bypassed on the client-side using a proxy or other techniques. Postman & other REST clients use these methods for CORS bypassing. Although it’s not recommended for application security.

Conclusion! 

There are numerous asset sharing answers for all web advancements. By understanding security approaches like CORS, you can see how dangerous conduct — like downloading resources from outside sources — are mitigated.

CORS characterizes browser’s applications and is never a replacement for server-side insurance of sensitive data – an assailant can directly produce a solicitation from any trusted origin. Thus, web servers should keep on applying assurances over such sensitive data, for example, verification and session management, in addition, to appropriately configure CORS.

Learn more about CORS from here