- Cross Origin Resource Sharing.
CORS is an established system for restricting access to web based resources (such as web services) that reside on a different domain.
CORS provides a mechanism for the web browser to determine from the server whether or not it should be allowed to make the request.
For example if a web page were loaded for www.cryer.co.uk and this made an AJAX call to a web-service on http://enjoyed.today because these are two different domains the AJAX call would negotiate use of the web service using CORS.
For CORS to work both the browser and the web server need to support it , most do as CORS has been around for a while. In essence (and this is not intended as a comprehensive description of how CORS works):
- The browser sends a "pre-flight request" to the server. This is to ask if the request is permitted from the originating domain and to determine what methods are supported.
- The server responds indicating if the request is allowed from that domain, or an error page if the server does not allow the cross-origin request.
- Assuming the server response permits the request, the the browser sends the request and the server responds to the request.
For more information see:
- http://everything.explained.at/Cross-origin_resource_sharing/ - COTs explained.
- http://www.w3.org/TR/access-control/ - W3C Cross-Origin Resource Sharing recomendation.