What is CORS ?

As a security reasons, web browsers implement same-origin policy, which means requesting data from same domain is allowed. Data requested using different domain will throw an error.

CORS (Cross-Origin Resource Sharing) is a http-based mechanism that enables the browser to access resources outside a given domain.

When a browser makes a cross-origin request, it will add an http Origin header that states the protocol and port number. The server responds and add an "Access-Control-Allow-Origin" header in the response to browser.

If the header's origin is the same as the origin sent in the request then access to the resourse is granted. The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers.

###  What kind of requests uses CORS ?
CORS enable the cross origin requests like:
1. Access CSS resource like web-fonts , images etc. 
2. Invocations of the XMLHttpRequest or Fetch APIs (The Fetch API provides an interface for fetching resources. )

### CORS with Preflight Requests
Some HTTP methods (except GET, POST, HEAD) require a preflight request before the main request is sent to the server.
Preflight request start with the browser sending an HTTP OPTION request with the proposed request method of the main request. 



	OPTION/
    Host: www.myservice.com
	Origin: http://www.myclient.com
	Access-Control-Request-Method: POST




The server will respond with the Access-Control-Allow-Method header. If the browser requesting a method that resource holder consider invalid then request fails with error. If not, request is accepted and the main CORS request follows.
If server willing to accept the request then server respond as follow:


    HTTP 200 OK
    Access-Control-Allow-Origin: http://www.myclient.com
    Access-Control-Allow-Methods: POST, GET, OPTIONS
	Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
	Access-Control-Max-Age: 86400



The response from server may also contain an Access-Control-Max-Age"  header that specify the time the response must be cached within . 
Using this header the browser/client won't need to send a preflight reqeust everytime it want to access the CORS resource.

### How to enable CORS in Chrome browser ?

You can disable the same origin security policy in chrome browser using following command.
*Note : Close all the chrome instances before running below command*

```
chrome.exe  --disable-site-isolation-trials --disable-web-security --user-data-dir="[some_user_directory]"
```
when you open chrome browser again you might get message prompt like:

```
You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer.
```

Comments

Post a Comment

Popular posts from this blog

Creating simple Maven multi module project in Java

Image
In this post, I will discuss how to create a simple Maven multi-module project. In multi-module projects, we have multiple modules to be built using Maven. We have external dependencies as well as internal dependencies between different modules. Let's figure out how we can create multi-modules projects in Maven and how the internal and external dependencies are handled by Maven during the build process?. Technologies used: Maven 3.3.3 JDK 1.6 Simple Structure for Multi-Module Project There are multiple ways to create the structure for multi-module maven projects. It depends on the project requirements, code repository structure, and project lifecycle (need for parent pom release, packaging, etc.). One of the simplest structures is given below: Sample Project - RoketApp In order to understand in a better way, let us create a sample multi-module project - RocketApp , similar to the above structure. RocketApp consist of two module - rocket-core & rocket-ut...
Read more

Tricky Java Questions

Image
Java is most popular programming language. It is widely used programming languange and has many job opportunities. Interviewers often ask tricky questions to check the candidate knowldege about Java programming language. Sometimes experienced programmers also fail to answer tricky questions. In this post, I have picked few conceptual questions that will helped you to have better understanding of Java language. #### Q-1: what will be output of following code ? ``` public static void main(String[] args) { Integer number1 = 100; Integer number2 = 100; if (number1 == number2) { System.out.println("number1 == number2"); } else { System.out.println("number1 != number2"); } ``` #### Answer: ``` number1 == number2" ``` We have compared the references of two Integers. The result is surprising !!!. This is because of the autoboxing. Java uses IntegerCache to suppor...
Read more

How to update existing CCDT file (AMQCLCHL.TAB) for successful MQueue connection

The client channel definition table ( CCDT) file contains the MQ channels definitions and authentication information used by the client program/application to connect to the queue manager. It is a binary file so we cannot modify using any text editor. Change in the channel properties like SSLCIPH, USERID, etc. in Queue manager also required change in the CCDT file. Otherwise, it will break the application MQ connection. From IBM MQ v8.0 onwards we can create and modify the CCDT file on client machines directly. Below are the steps to modify the existing CCDT file. Set the necessary environment properties First set the location of CCDT on the client machine. You can do it using the following environment variables: MQCHLLIB – Specify the directory path where the CCDT file is located. MQCHLTAB – Specify the file name of CCDT (a default name – AMQCLCHL.TAB) #Only path (exclud...
Read more