Cross-Origin Resource Sharing
Encyclopedia
Cross-Origin Resource Sharing (CORS) is a web browser
technology specification, which defines ways for a web server to allow its resources be accessed by a web page from a different domain. Such access would otherwise be forbidden by the same origin policy
.
The following browsers are also noteworthy in their lack of CORS support:
in March 2004 for inclusion in VoiceXML
2.1 to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE. The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal W3C Recommendation status.
pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. Using CORS enables a web programmer to use regular XMLHttpRequest
which supports better error handling than JSONP. On the other hand, JSONP works on legacy browsers which preclude CORS support. CORS is supported by most modern web browsers.
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
technology specification, which defines ways for a web server to allow its resources be accessed by a web page from a different domain. Such access would otherwise be forbidden by the same origin policy
Same origin policy
In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but...
.
Browser support
CORS is supported by all browsers based on the following layout engines:- GeckoGeckoGeckos are lizards belonging to the infraorder Gekkota, found in warm climates throughout the world. They range from 1.6 cm to 60 cm....
1.9.1 (Firefox 3.5, SeaMonkey 2.0) and above - WebKitWebKitWebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Apple Safari and by October 2011 held over 33% of the browser market share between them. It is also used as the basis for the experimental browser included with the Amazon Kindle ebook...
(Initial revision uncertain, Safari 4 and above, Google Chrome 3 and above... possibly earlier) - MSHTML/TridentTrident (layout engine)Trident is the name of the layout engine for the Microsoft Windows version of Internet Explorer.It was first introduced with the release of Internet Explorer version 4.0 in October 1997; it has been steadily upgraded and remains in use today...
4.0 (Internet Explorer 8) provides partial support via the XDomainRequest object.
The following browsers are also noteworthy in their lack of CORS support:
- No PrestoPresto (layout engine)Presto is the layout engine for later versions of the Opera web browser . After several public betas and technical previews, it was released on January 28, 2003 in Opera 7 for Windows, and as of Opera 11 it is still in use. Presto is dynamic: the page or parts of it can be re-rendered in response...
-based browser implements CORS as of OperaOpera (web browser)Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...
11.5, Opera MobileOpera MobileOpera Mobile is a web browser for smartphones and PDA's developed by the Opera Software company. The first version was released in 2000 for the Psion Series 7 and netBook. Today, it is available for a variety of devices that run on Android, S60, Windows Mobile, Maemo , and MeeGo...
11.1, and Opera MiniOpera MiniOpera Mini is a web browser designed primarily for mobile phones, smartphones and personal digital assistants. Until version 4 it used the Java ME platform, requiring the mobile device to run Java ME applications. From version 5 it is also available as a native application for Android, iOS, Symbian...
Mini 6.0. - CaminoCaminoCamino is a free, open source, GUI-based Web browser based on Mozilla's Gecko layout engine and specifically designed for the Mac OS X operating system...
does not implement CORS in the 2.0.x release series as these versions are based on Gecko 1.9.0. - As of version 0.10.2, Arora exposes WebKit's CORS-related APIs, but attempted cross-origin requests will fail.
History
Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme NetworksTellme Networks
Tellme. Networks, Inc. is a company founded in 1999 by Mike McCue and Angus Davis, based out of Mountain View, California, in the United States, that specializes in telephone-based applications....
in March 2004 for inclusion in VoiceXML
VoiceXML
VoiceXML is the W3C's standard XML format for specifying interactive voice dialogues between a human and a computer. It allows voice applications to be developed and deployed in an analogous way to HTML for visual applications. Just as HTML documents are interpreted by a visual web browser,...
2.1 to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE. The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal W3C Recommendation status.
CORS relationship to JSONP
CORS can be used as a modern alternative to the JSONPJSONP
JSONP or "JSON with padding" is a complement to the base JavaScript Object Notation JSON data format, a pattern of usage allowing a page to request data from a server in a different domain...
pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. Using CORS enables a web programmer to use regular XMLHttpRequest
XMLHttpRequest
XMLHttpRequest is an API available in web browser scripting languages such as JavaScript. It is used to send HTTP or HTTPS requests directly to a web server and load the server response data directly back into the script. The data might be received from the server as XML text or as plain text...
which supports better error handling than JSONP. On the other hand, JSONP works on legacy browsers which preclude CORS support. CORS is supported by most modern web browsers.