Cross-Origin Resource Sharing (CORS) configuration
Cross-Origin Resource Sharing (CORS) is handled usingAccess-Control-Allow-Origin and related headers.Access-Control-Allow-Origin defines the non-same origins that are allowed to make requests to pages on your domain (i.e., viaXMLHttpRequest orfetch()).
Problem
By default,same-origin policy blocks cross-origin HTTP requests initiated by scripts. There are several use cases that require cross-origin script access; for example, Content Delivery Networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. However, cross-origin access presents a major security risk and must be carefully controlled.
Solution
UseAccess-Control-Allow-Origin to define the non-same origins that are allowed to make requests to pages on your domain.
If present,Access-Control-Allow-Origin should specify the minimum possible number of origins and resources for your site to function. For example, if your server provides both a website and an API intended for remoteXMLHttpRequest access, only the API resources should return theAccess-Control-Allow-Origin header.
Failure to setAccess-Control-Allow-Origin appropriately will allow unauthorized origins to read the contents of any page on your site. This can be especially dangerous if those sites are able to send credentials, potentially exposing your site toCSRF attacks.
If credentialed access is required from specific origins, ensureAccess-Control-Allow-Origin is set only to those origins, rather than reflecting theOrigin header. If public non-credentialed access is required, setAccess-Control-Allow-Origin to* and omit theAccess-Control-Allow-Credentials header. Otherwise, omit both headers.
Examples
Allow any site to read the contents of a JavaScript library:
Access-Control-Allow-Origin: *Note:This setting is required forSubresource integrity to work.
Allowhttps://random-dashboard.example.org to read the returned results of an API:
Access-Control-Allow-Origin: https://random-dashboard.example.orgSee also
Access-Control-Allow-OriginAccess-Control-Allow-CredentialsAccess-Control-Allow-HeadersAccess-Control-Allow-MethodsAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Request-HeadersAccess-Control-Request-MethodOrigin- Cross-Origin Resource Sharing (CORS)
- CORS for Developers from W3C (2016)