Monday, September 21, 2015

HTTP Cross Origin request and HTTP access control (CORS)

For http content loaded from one domain (protocol, host, port), it may have link to request from a different domain, such as an image, a css stylesheet or script. This is very common usage.

However, when using a script to send a request to a different domain, it will expose a security risk as unlike web link, malicious script code can inject request to server without user's acknowledge.

To avoid sending cross origin request from script, browser on client side enforces HTTP access control (CORS) based on server response. The server response includes the header of
Access-Control-Allow-Origin: *
which indicates the response can be accessed by which domain in a cross-site manner. The Access-Control-Allow-Origin header should always include the request's Origin header to allow the original web page to access the response, but it can also add another domain into it, or set * to allow all domains to access it.

Note although the server returns the Access-Control-Allow-Origin header to help client to enforce CORS control, it is the browser (not the server) that checks and enforce the restriction. The server will always return the requested resource to client regardless the request data.


No comments:

Post a Comment