(Go: >> BACK << -|- >> HOME <<)
SlideShare a Scribd company logo

Cross-domain requests with CORS

Vladimir Dzhuvinov
Vladimir Dzhuvinov

The future of the web is cross-domain, not same origin. Introduction to CORS requests and how they are handled by the browser and the web server.

1 of 18
Download to read offline
Cross-domain requests with CORS Vladimir Dzhuvinov @dzhuvinov
History ● 1989 The web and HTTP get invented ● 1994 Netscape Navigator ● 1995 JavaScript ● 1999 IE 5 brings XMLHttpRequest ● 2000+ The web becomes dynamic :-)
Dynamic web 2.0 vs same origin policy Browser * renders HTML * executes JS HTTP server (the origin) http://alice.org Web Service http://bob.com serves HTML page XHR allowed XHR denied
The future of the web is cross-domain, not same origin
The first approach at solving the cross-domain problem ● JSONp ● Ugly hack ● Relies on dynamic loading of <script> tags from servers that are not on the same domain
What web gurus decided to do ● Create a new standard protocol for cross-domain XHR: – Define origin: RFC 6454 – Define cross-domain requests: W3C Cross-Origin Resource Sharing (CORS) – Extend existing XMLHttpRequest object ● A 9 year effort!
Gurus such as...
The web origin concept Examples of same origin: http://hackafe.org:8080/files/hello-world?q=123 ORIGIN Defined in RFC 6454, published 2011, by Adam Barth / Google Defined by matching: * schema * host * port http://hackafe.org:8080/files/hello-world http://hackafe.org:8080/files/ http://hackafe.org:8080
For CORS to work HTTP servers must opt-in CORS web service http://bob.com Browser * script XHR “Yes, I'm willing to serve CORS requests!”
Simple CORS request ● Methods: – GET – HEAD – POST ● Request headers: – Accept – Accept-Language – Content-Language – Content-Type: ● text/plain ● application/x-www-form-urlencoded ● multipart/form-data
Simple CORS request 1. JS originating from http://alice.org: var client = new XMLHttpRequest() client.open("GET", "http://bob.com/hello") client.onreadystatechange = function() { /* do something */ } client.send() 2. HTTP Request browser → CORS server: GET /hello HTTP/1.1 Host: http://bob.com Origin: http://alice.org 3. HTTP Response CORS server → browser: HTTP/1.1 200 OK Access-Control-Allow-Origin: http://alice.org Content-Type: text/plain Hello world!
Preflight request ● For methods other than GET, HEAD and POST ● For credentials, such as cookies, HTTP basic and tokens ● For request headers such as Content-Type: application/json ● To expose non-simple response headers to the JavaScript, e.g. X-Custom-Header
Preflight request with HTTP OPTIONS 1. HTTP Request browser → CORS server: OPTIONS /hello HTTP/1.1 Host: http://bob.com Origin: http://alice.org Access-Control-Request-Method: PUT Access-Control-Request-Headers: Content-Type, Authorization 2. HTTP Response CORS server → browser: HTTP/1.1 200 OK Access-Control-Allow-Origin: http://alice.org Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Expose-Headers: X-Custom-Header Access-Control-Allow-Credentials: true Access-Control-Max-Age: 3600
Handling CORS on the server side Servlets CORS Filter Cross-origin resources Java Web Server Incoming HTTP requests JSP Static files http://software.dzhuvinov.com/cors-filter.html You don't need to code anything, use existing CORS filters or modules
How to detect CORS support in the browser function browserSupportsCors() { if ("withCredentials" in new XMLHttpRequest()) return true; else if (typeof XDomainRequest == "object") return true; else return false; }
CORS support
Share cookies var xhr = new XMLHttpRequest(); var url = 'http://bar.other/resources/credentialed-content/'; xhr.open('GET', url, true); xhr.withCredentials = true; xhr.onreadystatechange = handler; xhr.send();
Thank you! Q + A?

More Related Content

What's hot

SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
Katrien Verbert
 
Asynchronous JavaScript & XML (AJAX)
Asynchronous JavaScript & XML (AJAX)Asynchronous JavaScript & XML (AJAX)
Asynchronous JavaScript & XML (AJAX)
Adnan Sohail
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
Brad Genereaux
 
JSON: The Basics
JSON: The BasicsJSON: The Basics
JSON: The Basics
Jeff Fox
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScript
Laurence Svekis ✔
 
Ajax Presentation
Ajax PresentationAjax Presentation
Ajax Presentation
alaa.moustafa
 
ES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern JavascriptES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern Javascript
Wojciech Dzikowski
 
Workshop 4: NodeJS. Express Framework & MongoDB.
Workshop 4: NodeJS. Express Framework & MongoDB.Workshop 4: NodeJS. Express Framework & MongoDB.
Workshop 4: NodeJS. Express Framework & MongoDB.
Visual Engineering
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
Prem Sanil
 
Basics of JavaScript
Basics of JavaScriptBasics of JavaScript
Basics of JavaScript
Bala Narayanan
 
Web api
Web apiWeb api
Web api
Sudhakar Sharma
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
PradeepDyavannanavar
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup
Divyanshu
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginners
Arulmurugan Rajaraman
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
n|u - The Open Security Community
 
JavaScript Tutorial
JavaScript TutorialJavaScript Tutorial
JavaScript Tutorial
Bui Kiet
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 

What's hot (20)

SOAP-based Web Services
SOAP-based Web ServicesSOAP-based Web Services
SOAP-based Web Services
 
Asynchronous JavaScript & XML (AJAX)
Asynchronous JavaScript & XML (AJAX)Asynchronous JavaScript & XML (AJAX)
Asynchronous JavaScript & XML (AJAX)
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
JSON: The Basics
JSON: The BasicsJSON: The Basics
JSON: The Basics
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScript
 
Ajax Presentation
Ajax PresentationAjax Presentation
Ajax Presentation
 
ES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern JavascriptES2015 / ES6: Basics of modern Javascript
ES2015 / ES6: Basics of modern Javascript
 
Workshop 4: NodeJS. Express Framework & MongoDB.
Workshop 4: NodeJS. Express Framework & MongoDB.Workshop 4: NodeJS. Express Framework & MongoDB.
Workshop 4: NodeJS. Express Framework & MongoDB.
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
 
Basics of JavaScript
Basics of JavaScriptBasics of JavaScript
Basics of JavaScript
 
Web api
Web apiWeb api
Web api
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginners
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
JavaScript Tutorial
JavaScript TutorialJavaScript Tutorial
JavaScript Tutorial
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 

Similar to Cross-domain requests with CORS

Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStation
ArabNet ME
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
Gil Fink
 
Class 1 - World Wide Web Introduction
Class 1 - World Wide Web IntroductionClass 1 - World Wide Web Introduction
Class 1 - World Wide Web Introduction
Ahmed Swilam
 
Extensible web #html5j
Extensible web #html5jExtensible web #html5j
Extensible web #html5j
Jxck Jxck
 
2014 database - course 1 - www introduction
2014 database - course 1 - www introduction2014 database - course 1 - www introduction
2014 database - course 1 - www introduction
Hung-yu Lin
 
5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
webhostingguy
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …
Jinglun Li
 
JavaScript Service Worker Design Patterns for Better User Experience
JavaScript Service Worker Design Patterns for Better User ExperienceJavaScript Service Worker Design Patterns for Better User Experience
JavaScript Service Worker Design Patterns for Better User Experience
reeder29
 
Phone Home: A client-side error collection system
Phone Home: A client-side error collection systemPhone Home: A client-side error collection system
Phone Home: A client-side error collection system
Chris Birchall
 
5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
webhostingguy
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communication
ChenKuo Chen
 
Under the Covers with the Web
Under the Covers with the WebUnder the Covers with the Web
Under the Covers with the Web
Trevor Lohrbeer
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
Aditya Balapure
 
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
Ortus Solutions, Corp
 
Building Lightning Fast Websites (for Twin Cities .NET User Group)
Building Lightning Fast Websites (for Twin Cities .NET User Group)Building Lightning Fast Websites (for Twin Cities .NET User Group)
Building Lightning Fast Websites (for Twin Cities .NET User Group)
strommen
 
Websockets at tossug
Websockets at tossugWebsockets at tossug
Websockets at tossug
clkao
 
Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud Developers
Brian Huff
 
Software architecture for high traffic website
Software architecture for high traffic websiteSoftware architecture for high traffic website
Software architecture for high traffic website
Tung Nguyen Thanh
 
HTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIs
HTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIsHTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIs
HTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIs
Roan Brasil Monteiro
 
REST and JAX-RS
REST and JAX-RSREST and JAX-RS
REST and JAX-RS
Guy Nir
 

Similar to Cross-domain requests with CORS (20)

Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStation
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
 
Class 1 - World Wide Web Introduction
Class 1 - World Wide Web IntroductionClass 1 - World Wide Web Introduction
Class 1 - World Wide Web Introduction
 
Extensible web #html5j
Extensible web #html5jExtensible web #html5j
Extensible web #html5j
 
2014 database - course 1 - www introduction
2014 database - course 1 - www introduction2014 database - course 1 - www introduction
2014 database - course 1 - www introduction
 
5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …
 
JavaScript Service Worker Design Patterns for Better User Experience
JavaScript Service Worker Design Patterns for Better User ExperienceJavaScript Service Worker Design Patterns for Better User Experience
JavaScript Service Worker Design Patterns for Better User Experience
 
Phone Home: A client-side error collection system
Phone Home: A client-side error collection systemPhone Home: A client-side error collection system
Phone Home: A client-side error collection system
 
5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communication
 
Under the Covers with the Web
Under the Covers with the WebUnder the Covers with the Web
Under the Covers with the Web
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
 
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
 
Building Lightning Fast Websites (for Twin Cities .NET User Group)
Building Lightning Fast Websites (for Twin Cities .NET User Group)Building Lightning Fast Websites (for Twin Cities .NET User Group)
Building Lightning Fast Websites (for Twin Cities .NET User Group)
 
Websockets at tossug
Websockets at tossugWebsockets at tossug
Websockets at tossug
 
Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud Developers
 
Software architecture for high traffic website
Software architecture for high traffic websiteSoftware architecture for high traffic website
Software architecture for high traffic website
 
HTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIs
HTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIsHTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIs
HTTP / 1, HTTP / 2 and HTTP / 3: Past, present and the future of APIs
 
REST and JAX-RS
REST and JAX-RSREST and JAX-RS
REST and JAX-RS
 

More from Vladimir Dzhuvinov

Криптография за уеб и мобилни разработчици
Криптография за уеб и мобилни разработчициКриптография за уеб и мобилни разработчици
Криптография за уеб и мобилни разработчици
Vladimir Dzhuvinov
 
New money
New moneyNew money
New money
Vladimir Dzhuvinov
 
Mind patterns and anti-patterns
Mind patterns and anti-patternsMind patterns and anti-patterns
Mind patterns and anti-patterns
Vladimir Dzhuvinov
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
Plovdev 2013: How to be a better programmer, beyond programming
Plovdev 2013: How to be a better programmer, beyond programmingPlovdev 2013: How to be a better programmer, beyond programming
Plovdev 2013: How to be a better programmer, beyond programming
Vladimir Dzhuvinov
 
Binding components, events + data sources in HTML + JS
Binding components, events + data sources in HTML + JSBinding components, events + data sources in HTML + JS
Binding components, events + data sources in HTML + JS
Vladimir Dzhuvinov
 

More from Vladimir Dzhuvinov (8)

Криптография за уеб и мобилни разработчици
Криптография за уеб и мобилни разработчициКриптография за уеб и мобилни разработчици
Криптография за уеб и мобилни разработчици
 
New money
New moneyNew money
New money
 
Mind patterns and anti-patterns
Mind patterns and anti-patternsMind patterns and anti-patterns
Mind patterns and anti-patterns
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
 
Plovdev 2013: How to be a better programmer, beyond programming
Plovdev 2013: How to be a better programmer, beyond programmingPlovdev 2013: How to be a better programmer, beyond programming
Plovdev 2013: How to be a better programmer, beyond programming
 
Binding components, events + data sources in HTML + JS
Binding components, events + data sources in HTML + JSBinding components, events + data sources in HTML + JS
Binding components, events + data sources in HTML + JS
 

Recently uploaded

Founders Of Digital World Social Media..
Founders Of Digital World Social Media..Founders Of Digital World Social Media..
Founders Of Digital World Social Media..
jom pom
 
Book dating , international dating phgra
Book dating , international dating phgraBook dating , international dating phgra
Book dating , international dating phgra
thomaskurtha9
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
taqyea
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
ffg01100
 
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
taqyea
 
Carrington degree offer diploma Transcript
Carrington degree offer diploma TranscriptCarrington degree offer diploma Transcript
Carrington degree offer diploma Transcript
ubufe
 
( Call  ) Girls South Ex 9873777170 High Profile beauty lady
( Call  ) Girls South Ex 9873777170 High Profile beauty lady( Call  ) Girls South Ex 9873777170 High Profile beauty lady
( Call  ) Girls South Ex 9873777170 High Profile beauty lady
Hyderabad Escorts Agency
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Thiên Đường Tình Yêu
 
一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理
一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理
一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理
taqyea
 
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
Disha Mukharji
 
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
taqyea
 
Kharghar @Call @Girls Whatsapp 9930687706 With High Profile Offer
Kharghar @Call @Girls Whatsapp 9930687706 With High Profile OfferKharghar @Call @Girls Whatsapp 9930687706 With High Profile Offer
Kharghar @Call @Girls Whatsapp 9930687706 With High Profile Offer
sonamgerg
 
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
mvahxyy
 
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
taqyea
 
一比一原版(london毕业证书)英国伦敦大学毕业证如何办理
一比一原版(london毕业证书)英国伦敦大学毕业证如何办理一比一原版(london毕业证书)英国伦敦大学毕业证如何办理
一比一原版(london毕业证书)英国伦敦大学毕业证如何办理
taqyea
 
sophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdfsophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdf
Thanksoan
 
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirtsTama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
exgf28
 
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
taqyea
 
very nice project on internet class 10.pptx
very nice project on internet class 10.pptxvery nice project on internet class 10.pptx
very nice project on internet class 10.pptx
bazukagaming6
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
RohitRoshanBengROHIT
 

Recently uploaded (20)

Founders Of Digital World Social Media..
Founders Of Digital World Social Media..Founders Of Digital World Social Media..
Founders Of Digital World Social Media..
 
Book dating , international dating phgra
Book dating , international dating phgraBook dating , international dating phgra
Book dating , international dating phgra
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
 
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)英国爱丁堡大学毕业证如何办理
 
Carrington degree offer diploma Transcript
Carrington degree offer diploma TranscriptCarrington degree offer diploma Transcript
Carrington degree offer diploma Transcript
 
( Call  ) Girls South Ex 9873777170 High Profile beauty lady
( Call  ) Girls South Ex 9873777170 High Profile beauty lady( Call  ) Girls South Ex 9873777170 High Profile beauty lady
( Call  ) Girls South Ex 9873777170 High Profile beauty lady
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
 
一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理
一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理
一比一原版(brunel毕业证书)英国布鲁内尔大学毕业证如何办理
 
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
@Call @Girls Worli phone 9920874524 You Are Serach A Beautyfull Dolle come here
 
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
一比一原版(kcl毕业证书)英国伦敦国王学院毕业证如何办理
 
Kharghar @Call @Girls Whatsapp 9930687706 With High Profile Offer
Kharghar @Call @Girls Whatsapp 9930687706 With High Profile OfferKharghar @Call @Girls Whatsapp 9930687706 With High Profile Offer
Kharghar @Call @Girls Whatsapp 9930687706 With High Profile Offer
 
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
一比一原版(liverpool毕业证)利物浦大学毕业证如何办理
 
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
一比一原版美国休斯敦大学毕业证(uh毕业证书)如何办理
 
一比一原版(london毕业证书)英国伦敦大学毕业证如何办理
一比一原版(london毕业证书)英国伦敦大学毕业证如何办理一比一原版(london毕业证书)英国伦敦大学毕业证如何办理
一比一原版(london毕业证书)英国伦敦大学毕业证如何办理
 
sophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdfsophos-xgs-series-firewall-datasheet.pdf
sophos-xgs-series-firewall-datasheet.pdf
 
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirtsTama Tonga MFT T shirts Tama Tonga MFT T shirts
Tama Tonga MFT T shirts Tama Tonga MFT T shirts
 
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
一比一原版(ubc毕业证书)英属哥伦比亚大学毕业证如何办理
 
very nice project on internet class 10.pptx
very nice project on internet class 10.pptxvery nice project on internet class 10.pptx
very nice project on internet class 10.pptx
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
 

Cross-domain requests with CORS

  • 1. Cross-domain requests with CORS Vladimir Dzhuvinov @dzhuvinov
  • 2. History ● 1989 The web and HTTP get invented ● 1994 Netscape Navigator ● 1995 JavaScript ● 1999 IE 5 brings XMLHttpRequest ● 2000+ The web becomes dynamic :-)
  • 3. Dynamic web 2.0 vs same origin policy Browser * renders HTML * executes JS HTTP server (the origin) http://alice.org Web Service http://bob.com serves HTML page XHR allowed XHR denied
  • 4. The future of the web is cross-domain, not same origin
  • 5. The first approach at solving the cross-domain problem ● JSONp ● Ugly hack ● Relies on dynamic loading of <script> tags from servers that are not on the same domain
  • 6. What web gurus decided to do ● Create a new standard protocol for cross-domain XHR: – Define origin: RFC 6454 – Define cross-domain requests: W3C Cross-Origin Resource Sharing (CORS) – Extend existing XMLHttpRequest object ● A 9 year effort!
  • 8. The web origin concept Examples of same origin: http://hackafe.org:8080/files/hello-world?q=123 ORIGIN Defined in RFC 6454, published 2011, by Adam Barth / Google Defined by matching: * schema * host * port http://hackafe.org:8080/files/hello-world http://hackafe.org:8080/files/ http://hackafe.org:8080
  • 9. For CORS to work HTTP servers must opt-in CORS web service http://bob.com Browser * script XHR “Yes, I'm willing to serve CORS requests!”
  • 10. Simple CORS request ● Methods: – GET – HEAD – POST ● Request headers: – Accept – Accept-Language – Content-Language – Content-Type: ● text/plain ● application/x-www-form-urlencoded ● multipart/form-data
  • 11. Simple CORS request 1. JS originating from http://alice.org: var client = new XMLHttpRequest() client.open("GET", "http://bob.com/hello") client.onreadystatechange = function() { /* do something */ } client.send() 2. HTTP Request browser → CORS server: GET /hello HTTP/1.1 Host: http://bob.com Origin: http://alice.org 3. HTTP Response CORS server → browser: HTTP/1.1 200 OK Access-Control-Allow-Origin: http://alice.org Content-Type: text/plain Hello world!
  • 12. Preflight request ● For methods other than GET, HEAD and POST ● For credentials, such as cookies, HTTP basic and tokens ● For request headers such as Content-Type: application/json ● To expose non-simple response headers to the JavaScript, e.g. X-Custom-Header
  • 13. Preflight request with HTTP OPTIONS 1. HTTP Request browser → CORS server: OPTIONS /hello HTTP/1.1 Host: http://bob.com Origin: http://alice.org Access-Control-Request-Method: PUT Access-Control-Request-Headers: Content-Type, Authorization 2. HTTP Response CORS server → browser: HTTP/1.1 200 OK Access-Control-Allow-Origin: http://alice.org Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Expose-Headers: X-Custom-Header Access-Control-Allow-Credentials: true Access-Control-Max-Age: 3600
  • 14. Handling CORS on the server side Servlets CORS Filter Cross-origin resources Java Web Server Incoming HTTP requests JSP Static files http://software.dzhuvinov.com/cors-filter.html You don't need to code anything, use existing CORS filters or modules
  • 15. How to detect CORS support in the browser function browserSupportsCors() { if ("withCredentials" in new XMLHttpRequest()) return true; else if (typeof XDomainRequest == "object") return true; else return false; }
  • 17. Share cookies var xhr = new XMLHttpRequest(); var url = 'http://bar.other/resources/credentialed-content/'; xhr.open('GET', url, true); xhr.withCredentials = true; xhr.onreadystatechange = handler; xhr.send();
  • 18. Thank you! Q + A?