This week I studied about CORS.
CORS (Cross-Origin Resource Sharing) is a concept that allows resources in one origin to access resources in another origin. Literally, it is the sharing of cross-origin resources. If you're requesting a resource from another origin, it is called a cross-origin request.
CORS and SOP are both origin-related concept. So we need to know what Oirigin is.
The source is defined in three ways: URL scheme(protocol), host(domain), and port. In other words, to determine which URLs are from the same source, we need to check if the protocol, domain, and port of the URLs are all the same.
- http://example.com/hello and http://example.com/bye are different URLs, but they all have the same protocol, domain, and port, so they are of the same origin.
- http://example.com and https://example.com point to the same resource, but they are not the same origin because the protocols are different.
- http://example.com and http://example.com:80 look like different sources, but in the former case, the default port of http 80 is omitted, so they can be said to be the same source.
SOP (Same-Origin Policy) prevents other-origin attacks by preventing read access to resources queried from other origins. However, it accepts several tags, such as {img} for images from other sourcces and {link} for external addresses. There is no exact implementation specification of the same-origin policy, but modern browsers follow certain rules.
The SOP allowed very limited fetching of other-origin resources. And as SPA and media-focused websites become more and more popular, the rules around them continued to grow. Therefore, CORS has emerged to increase accessibility to other origin resources.
There are three different origin request policies. They are Simple Request, Preflighted Request and Credential Request.
-Only GET, HEAD, POST requests are allowed
If the server does not respond to this header, or if the header value is for a domain that does not match the origin of the request, the browser blocks the response. Also, if the requested origin is included in the server's access-control-allow-origin.
Preflights send HTTP requests ahead of time with the OPTIONS method to ensure that the actual request is safe to send. This means sending it ahead of time because requests from other origins may affect user data.
Request headers contain the following values:
Response headers contain the follwing values:
Preflight request sends your address https://www.api.com?q=test with OPTIONS. It also sends origin, access-control-request-method, and access-control-rquest-headers.
Access-control-allow-origin, Access-control-allow-method, Access-control-allow-headers, and Access-control-max-age are received as normal responses.
We can make a real request and get a normal response thanks to Preflight that normal requests and resopnses are possible.
Credentialed Requests are requested with credentials such as cookes, authentication headers, and TLS client certificates. By default, CORS policy disallows including credentials in other origin requests. Requests can be made if the request has a flag that includes authentication or if access-control-allow-credentials is set to true.
Requests containing user identification information are handled more strictly. The client must set the cerdential option separately when sending a request. In the case of the fetch API, there are three options as follows.
In the end, the red error message that plauged web developers was actually an error that occrued when resources from other sources were blocked according to the browser's SOP policy, and CORS was the solution to obtain resrouces from other sources. In summary, CORS allows resources from other origins even if the SOP policy is violated.