CORS (Cross-Origin Resource Sharing)

Why ?

The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other's DOM with no specific restrictions, but prevents access to DOM on different sites. Same-origin policy also applies to XMLHttpRequest and to robots.txt.

CORS configuration is server-side.

A server using "Access-Control-Allow-Origin: *" allows all domains, it is very bad.

What are the security risks of setting Access-Control-Allow-Origin? :

By responding with Access-Control-Allow-Origin: *, the requested resource allows sharing with every origin. This basically means that any site can send an XHR request to your site and access the server’s response which would not be the case if you hadn’t implemented this CORS response.

So any site can make a request to your site on behalf of their visitors and process its response. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them too.


When accessing a ressource from a website with a different domain/port, recent browsers refuse to interpret response because of CORS mechanism. The server needs to put some headers to allow browsers to interpret responses.

http headers

  • "Access-Control-Allow-Origin: *" allow all domains
  • "Access-Control-Allow-Origin:" specify a defined domain list.
  • NOTE : Domain list is not allow, a single value is allowed. So the server MUST do the check by itself and set it if contained in the list. For example if u have a system to configure the allowed origin list in your backend, when writing headers in the response, u compare the request origin with your configured list, if it is u set the header with the request origin value, if not you set nothing.
  • "Access-Control-Allow-Credentials: true" to also send the cookies

Accessing custom headers in response

Server MUST return Access-Control-Expose-Headers containing the exposed headers. Without that header, the javascript client CANNOT read them.



Play! Impl

Need to add a route for OPTIONS http method and a suited controller. route ex :

OPTIONS       /*path                 controllers.CorsCtrl.checkPreFlight(path)

Angular perform OPTIONS action instead of POST

results for ""

    No results matching ""