Cross-origin resource sharing

Cross-origin resource sharing (CORS) is a mechanism to safely bypass the same-origin policy, that is, it allows a web page to access restricted resources from a server on a domain different than the domain that served the web page.

A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.^[1] It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests.

The specification for CORS is included as part of the WHATWG's Fetch Living Standard.^[2] This specification describes how CORS is currently implemented in browsers.^[3] An earlier specification was published as a W3C Recommendation.^[4]

^ "Cross-domain Ajax with Cross-Origin Resource Sharing". NCZOnline. 25 May 2010. Retrieved 2012-07-05.
^ "Fetch Living Standard".
^ "WebAppSec Working Group Minutes".
^ "Cross-Origin Resource Sharing".

[nczonline1-1] "Cross-domain Ajax with Cross-Origin Resource Sharing". NCZOnline. 25 May 2010. Retrieved 2012-07-05.

[2] "Fetch Living Standard".

[3] "WebAppSec Working Group Minutes".

[4] "Cross-Origin Resource Sharing".

[1]

[2]

[3]

[4]