The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other's DOM with no specific restrictions, but prevents access to DOM on different sites. Same-origin policy also applies to
XMLHttpRequest
and torobots.txt
.
CORS configuration is server-side.
A server using "Access-Control-Allow-Origin: *"
allows all domains, it is very bad.
What are the security risks of setting Access-Control-Allow-Origin? : stackoverflow.com
By responding with
Access-Control-Allow-Origin: *
, the requested resource allows sharing with every origin. This basically means that any site can send an XHR request to your site and access the server’s response which would not be the case if you hadn’t implemented this CORS response.So any site can make a request to your site on behalf of their visitors and process its response. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them too.
When accessing a ressource from a website with a different domain/port, recent browsers refuse to interpret response because of CORS mechanism. The server needs to put some headers to allow browsers to interpret responses.
"Access-Control-Allow-Origin: *"
allow all domains"Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com"
specify a defined domain list."Access-Control-Allow-Credentials: true"
to also send the cookiesServer MUST return Access-Control-Expose-Headers
containing the exposed headers.
Without that header, the javascript client CANNOT read them.
Need to add a route for OPTIONS
http method and a suited controller.
route ex :
OPTIONS /*path controllers.CorsCtrl.checkPreFlight(path)