resource: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_request_headers
- web applications makes a CORs request when it requests a resource that has a different origin (domain, protocol, port) then its own origin.
- CORS is for security reasons, browsers restrict cross-origin HTTP requests initiated within scripts
- HTTP Header that allows servers to describe the set of origins that are permitted to read that information using a web browser.
- HTTP requests that can cause side-effects on server's data, browser must pre-flight the request (HTTP OPTIONS method), After approval, the server will send the actual request back to the browser.
- Allowed Methods:
- GET
- HEAD
- POST
- Allowed request headers:
- Accept
- Accept-Language
- Content-Language
- Content-Type
- application/x-www-form-urlencoded
- multipart/form-data
- text/plain
- Last-Event-ID
- DPR
- Save-Data
- Viewport-Width
- Width
If server allows cross origin requests, it will return header:
Access-Control-Allow-Origin: http://foo.example
If server allows requests from a single origin:
Access-Control-Allow-Origin: http://foo.example
Preflighted Requests: Methods: PUT DELETE CONNECT OPTIONS TRACE PATCH
Or includes any headers that aren't part of the Allowed request headers.
Preflight request will respond with the allowed Origins, Methods and Headers the server is willing to accept in a CORS request.
Control-Max-Age tells the browser how long the server will cache the request, allowing for regular requests until this expires.
Preflight does not allow redirects. There is a spec, but it needs to be implemented.
As a work around, don't send requests that will trigger a preflgiht request if you want to redirect, keep the request simple.
If you have authorization in your request, it will be impossible to work around the pre flight request, and you will need full control of your server config to allow the request so a redirect can occur.
Authorization
When a credentialed request is sent, the value of the Access-Control-Allow-Origin header must have a value, and can't be the '*' wildcard.
Origin is a URI indicating the server from which the request initiated. Only includes the server name
Preflight requests are not about security, they benefit servers developed without an awareness CORS
- Old servers assume they will never receive certain requests (eg a CORS DELETE request) Provides an extra sanity check between client and server
World is changing into a cross origin world. Before all servers assumed same-origin policy Reduce the CSRF surface area.
Does not provide full CSRF as a Simple POST that does not classify itself as a preflight- request could sitll be accepted by the server.