Skip to content

Instantly share code, notes, and snippets.

@wichopy

wichopy/cors-notes.md

Last active July 23, 2018 03:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wichopy/246c8deea5f0318ab1d3f0e90ee6741b to your computer and use it in GitHub Desktop.
Save wichopy/246c8deea5f0318ab1d3f0e90ee6741b to your computer and use it in GitHub Desktop.
Download ZIP
CORS requests
Raw
cors-notes.md

resource: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_request_headers

  • web applications makes a CORs request when it requests a resource that has a different origin (domain, protocol, port) then its own origin.
  • CORS is for security reasons, browsers restrict cross-origin HTTP requests initiated within scripts
  • HTTP Header that allows servers to describe the set of origins that are permitted to read that information using a web browser.
  • HTTP requests that can cause side-effects on server's data, browser must pre-flight the request (HTTP OPTIONS method), After approval, the server will send the actual request back to the browser.
  • Allowed Methods:
    • GET
    • HEAD
    • POST
  • Allowed request headers:
    • Accept
    • Accept-Language
    • Content-Language
    • Content-Type
      • application/x-www-form-urlencoded
      • multipart/form-data
      • text/plain
    • Last-Event-ID
    • DPR
    • Save-Data
    • Viewport-Width
    • Width

If server allows cross origin requests, it will return header: Access-Control-Allow-Origin: http://foo.example

If server allows requests from a single origin: Access-Control-Allow-Origin: http://foo.example

Preflighted Requests: Methods: PUT DELETE CONNECT OPTIONS TRACE PATCH

Or includes any headers that aren't part of the Allowed request headers.

Preflight request will respond with the allowed Origins, Methods and Headers the server is willing to accept in a CORS request.

Control-Max-Age tells the browser how long the server will cache the request, allowing for regular requests until this expires.

Preflight does not allow redirects. There is a spec, but it needs to be implemented.

As a work around, don't send requests that will trigger a preflgiht request if you want to redirect, keep the request simple.

If you have authorization in your request, it will be impossible to work around the pre flight request, and you will need full control of your server config to allow the request so a redirect can occur.

Authorization

When a credentialed request is sent, the value of the Access-Control-Allow-Origin header must have a value, and can't be the '*' wildcard.

Origin is a URI indicating the server from which the request initiated. Only includes the server name

https://stackoverflow.com/questions/15381105/cors-what-is-the-motivation-behind-introducing-preflight-requests

Preflight requests are not about security, they benefit servers developed without an awareness CORS

  1. Old servers assume they will never receive certain requests (eg a CORS DELETE request) Provides an extra sanity check between client and server

World is changing into a cross origin world. Before all servers assumed same-origin policy Reduce the CSRF surface area.

Does not provide full CSRF as a Simple POST that does not classify itself as a preflight- request could sitll be accepted by the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment