Cross-origin resource sharing

The technology itself is quite simple. There are three domains that wish to download resources from the Z server. In order to make this possible, the Z web server, which delivers content, is sufficient to indicate in the response header Access-Control-Allow-Origin a list of trusted domains: A, B, C. Then for the pages of these domains, limitations of the principle of the same source on the requested pages will not apply:

Access-Control-Allow-Origin: A, B, C

After that, pages of servers A, B, C will be able to download content from server Z.

For PHP, this is implemented by calling the function header ():

  <? php
     header ( "Access-Control-Allow-Origin: http://example.com" );
 ?> 

To initiate the Cross-origin request, the client browser adds a Origin request to the HTTP request (the site domain from which the request originates). For example, the page http://www.a.com/page.html tries to get data from the page http://www.b.com/cors.txt. If the client browser supports CORS technology, the request will look like this:

  GET /cors.txt HTTP / 1.1
 Host: www.b.com
 Origin: www.a.com

If the server www.b.com wants to allow receiving data from www.a.com, then the server’s response will contain the line:

  Access-Control-Allow-Origin: http://www.a.com

If the server’s response does not contain this string, then the browser supporting CORS technology will send an error instead of data.

If the server wants to allow access to any domain, it can indicate in the response:

  Access-Control-Allow-Origin: *

If the server wants to allow access to more than one domain, then the server response should contain one line Access-Control-Allow-Origin for each domain.

  Access-Control-Allow-Origin: http://www.a.com
 Access-Control-Allow-Origin: http://www.b.com
 Access-Control-Allow-Origin: http://www.c.com

In practice, a record from several domains separated by a space ^{[1] is} more commonly used:

  Access-Control-Allow-Origin: http://www.a.com http://www.b.com http://www.c.com

CORS technology can be used as a more modern and reliable alternative to JSONP , because it allows you to use all the advantages of XMLHttpRequest, and does not have the risk of injection, like JSONP. On the other hand, CORS technology is supported only by modern browsers, and JSONP also works in old ones.

• Gecko 1.9.1 (Firefox 3.5 ^[2] , SeaMonkey 2.0) and higher.
• WebKit (Safari 4 and above ^[3] , Google Chrome 3 and above ^[4] , perhaps earlier).
• MSHTML / Trident 6.0 (Internet Explorer 10) has built-in support ^[5] , MSHTML / Trident 4.0 and 5.0 (Internet Explorer 8 and 9) provides partial support through an XDomainRequest object. Internet Explorer 10 and 11 browsers, according to the bug reports ^[6] , do not support CORS for international domain names ( IDNs ) containing non-Latin characters.
• Presto browsers (Opera) CORS is implemented in Opera 12.00 ^[7] and Opera Mobile 12, but not in Opera Mini.

• Monsur Hossain. CORS in Action: Creating and consuming cross-origin APIs. - Manning Publications Company, 2014. - 240 p. - ISBN 978-1-61729-182-1 .
• Mike Shema. Hacking Web Apps: Detecting and Preventing Web Application Security Problems. - Newnes, 2012. - P. 3-6. - ISBN 978-1-59749-951-4 .