Cross Origin Resource Sharing (CORS) is becoming an important terminology as more SPA (Single Page Application) are being built using Angular JS, React JS frameworks. This in simple terms means that when I make a call from one domain to another domain (not on the same web server) then I cannot share the resources from one domain in the other domain.
“What is CORS?”
“Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.” – Wikipedia
When does this happen?
This generally comes up in making service call from UI (User Interface) components to backend services or another example is when one domain does an iFrame modal window to show another domain’s information. To let each of the domains share resources there are good examples in Wikipedia and definitions.
In the above picture, a request is sent from the browser (blue box) to “A-site”. The “A-site” is a web server which sends back a response consisting of index.html, hoge.css (a style sheet) and hoge.js (a javascript file).
Now from the new page the second step of the browser is to send a request to ‘B-site’ via an AJAX call. However, the B-Site server will not respond back as the A-site server is not in its’ whitelist of servers to accept requests.
And the only way the B-site server will give a response to the AJAX call is if it is configured for CORS (Cross Origin Resource Sharing) with “A-Site”.
A more detailed about CORS and a technical example can be found here. Derric Gilling, the author, gives a good example in business terms as follow:
“Let’s say you browse to a malicious website https://evilunicorns.com while logged into https://examplebank.com. Without same-origin policy, that hacker website could make authenticated malicious AJAX calls to https://examplebank.com/api to POST /withdraw even though the hacker website doesn’t have direct access to the bank’s cookies.“
Naturally, this should not happen. This is a security already introduced between domains and should not be circumvented. Without this security in place (and only allowing certain servers via CORS) it can cause insecure data transfers and open to hacking as given in above example.
There are exceptional cases where possibly both domain servers are behind the firewall and also within the same company (organization) then it is advisable. This is possibly in the design of the application when using micro services.
I strongly suggest it is good to contact the network security team and document the reasons and the solutions before implementing the solution to CORS issue.
However, some proprietary software frameworks (like SalesForce) do not allow us to share resources.
