Cors

Origin

This is a combination of 3 things: scheme, fully qualified hostname and port.

http://example.com and https://example.com are different origins due to the difference in schemes and ports.

Cross-origin Resource Requests

This means a resource on one making a request for something on another origin. E.g, https://example.com requesting for something on https://fonts.google.com

This could be problematic because malicious pages could probe for information based on whether you have access to say a company intranet-only url, or a script could make an API call to your bank.

Same-origin Policy

Prevents cross-origin attacks by blocking requests to resources on another origin. Still allows some tags like to embed resources from a different origin.

Embedding of ,
Embedding a cross-origin iframe is allowed depending on X-Frame-Options
is permitted due to cross-origin writes being common

CORS

The motivation is to allow more flexibility from the restrictions of the same-origin policy

CORS controls access to subresources on a webpage

TODO: fill this up

https://ieftimov.com/post/deep-dive-cors-history-how-it-works-best-practices/

Personal Knowledge Base

Explorer

Cors

Origin

Cross-origin Resource Requests

Same-origin Policy

CORS

Table of Contents

Graph View