Cross-Origin Resource Sharing (CORS) configuration
Cross-Origin Resource Sharing (CORS) is handled using Access-Control-Allow-Origin
and related headers. Access-Control-Allow-Origin
defines the non-same origins that are allowed to make requests to pages on your domain (i.e., via XMLHttpRequest
or fetch()
).
Problem
By default, same-origin policy blocks cross-origin HTTP requests initiated by scripts. There are several use cases that require cross-origin script access; for example, Content Delivery Networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. However, cross-origin access presents a major security risk and must be carefully controlled.
Solution
Use Access-Control-Allow-Origin
to define the non-same origins that are allowed to make requests to pages on your domain.
If present, Access-Control-Allow-Origin
should specify the minimum possible number of origins and resources for your site to function. For example, if your server provides both a website and an API intended for remote XMLHttpRequest
access, only the API resources should return the Access-Control-Allow-Origin
header.
Failure to set Access-Control-Allow-Origin
appropriately will allow unauthorized origins to read the contents of any page on your site. This can be especially dangerous if those sites are able to send credentials, potentially exposing your site to CSRF attacks.
If credentialed access is required from specific origins, ensure Access-Control-Allow-Origin
is set only to those origins, rather than reflecting the Origin
header. If public non-credentialed access is required, set Access-Control-Allow-Origin
to *
and omit the Access-Control-Allow-Credentials
header. Otherwise, omit both headers.
Examples
Allow any site to read the contents of a JavaScript library:
Access-Control-Allow-Origin: *
Note: This setting is required for Subresource integrity to work.
Allow https://random-dashboard.example.org
to read the returned results of an API:
Access-Control-Allow-Origin: https://random-dashboard.example.org
See also
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
- Cross-Origin Resource Sharing (CORS)
- CORS for Developers from W3C (2016)