Chris J. Lee

Dallas Drupal Developer

You are here

Understanding CORS ajax requests

What is CORS?

CORS stands for Cross Origin Resource Sharing.

It is the emerging technology for asynchronous web transactions amongst different domains. Previous, browsers restricted this for security reasons and to disallow XSS. Unfortunately, there are still browsers that don't support CORS: IE 8 and below. For support charts, check the caniuse website. Opera mini doesn't use it as well. But no one really uses opera mini except for certain samsung devices.

However, as of recent CORS has been the accepted way for handling loading resources from different websites. In order to opt in to this, the browser must have the correct headers to perform a CORS supported request.

Is CORS a potentially dangerous to attack vectors?

Not at all. CORs is currently a specification created by a group of browser vendors that is currently being By setting a specific origin header on the server, one can whitelist particular URI's that are allowed to provide COR's requests:

Access-Control-Allow-Origin: *

In fact, the aforementioned header is safe for particular domains that aren't restricted from a firewall it is still safe to use.

Sources

© 2017 Chris J. Lee