Compare Revisions

HTTP access control (CORS)

Change Revisions

Revision 378345:

Revision 378345 by code_monk on April 17, 2013 at 1:03:59 PM PDT

Revision 389391:

Revision 389391 by Sheppy on May 6, 2013 at 5:19:14 PM PDT

Title:

HTTP access control (CORS)

Slug:

HTTP/Access_control_CORS

Tags:

"Firefox 3.5", "Same-origin policy", "Security", "XMLHttpRequest", "HTTP", "AJAX"

Comment:

Just fixing a simple grammatical error

minor copy edits

Content:

	Revision 378345			Revision 389391
n	8	<strong>Cross-site HTTP requests</strong> are <a href="/en/	n	8	<strong>Cross-site HTTP requests</strong> are <a href="/en/
	>	HTTP" title="en/HTTP">HTTP</a> requests for resources from a <em>		>	HTTP" title="en/HTTP">HTTP</a> requests for resources from a <str
	>	different domain</em> than the domain of the resource making the		>	ong>different domain</strong> than the domain of the resource mak
	>	request.  For instance, a resource loaded from Domain A (<sp		>	ing the request.  For instance, a resource loaded from Domai
	>	an class="nowiki">http://domaina.example</span>) such as an HTML		>	n A (<code><span class="nowiki">http://domaina.example</span></co
	>	web page, makes a request for a resource on Domain B (<span class		>	de>) such as an HTML web page, makes a request for a resource on
	>	="nowiki">http://domainb.foo</span>), such as an image, using the		>	Domain B (<span class="nowiki">http://domainb.foo</span>), such a
	>	<code>img</code> element (<span class="nowiki">http://domainb.fo		>	s an image, using the <code>img</code> element (<code><span class
	>	o/image.jpg</span>).  This occurs very commonly on the web t		>	="nowiki">http://domainb.foo/image.jpg</span></code>).  This
	>	oday — pages load a number of resources in a cross-site manner, i		>	occurs very commonly on the web today — pages load a number of r
	>	ncluding CSS stylesheets, images and scripts, and other reso		>	esources in a cross-site manner, including CSS stylesheets,
	>	urces.		>	images and scripts, and other resources.
t	14	The <a class="external" href="http://www.w3.org/2008/webapp	t	14	The <a class="external" href="http://www.w3.org/2008/webapp
	>	s/" title="http://www.w3.org/2008/webapps/">Web Applications Work		>	s/" title="http://www.w3.org/2008/webapps/">Web Applications Work
	>	ing Group</a> within the <a class="external" href="http://www.w3.		>	ing Group</a> within the <a class="external" href="http://www.w3.
	>	org/" title="http://www.w3.org/">W3C</a> has proposed the new <a		>	org/" title="http://www.w3.org/">W3C</a> has recommended the new
	>	class="external" href="http://www.w3.org/TR/cors/" title="http://		>	<a class="external" href="http://www.w3.org/TR/cors/" title="http
	>	www.w3.org/TR/cors/">Cross-Origin Resource Sharing</a> (CORS) rec		>	://www.w3.org/TR/cors/">Cross-Origin Resource Sharing</a> (CORS)
	>	ommendation, which provides a way for web servers to support cros		>	mechanism, which provides a way for web servers to support cross-
	>	s-site access controls, which enable secure cross-site data trans		>	site access controls, which enable secure cross-site data transfe
	>	fers.  Of particular note is that this specification is used		>	rs.  Of particular note is that this specification is used w
	>	within an <em>API container</em> such as <code><a class="interna		>	ithin an <strong>API container</strong> such as <code><a class="i
	>	l" href="/en/DOM/XMLHttpRequest" title="En/XMLHttpRequest">XMLHtt		>	nternal" href="/en/DOM/XMLHttpRequest" title="En/XMLHttpRequest">
	>	pRequest</a></code> as a mitigation mechanism, allowing the cross		>	XMLHttpRequest</a></code> as a mitigation mechanism, allowing the
	>	ing of the same-domain restriction in modern browsers.  The		>	crossing of the same-domain restriction in modern browsers.&nbsp
	>	information in this article is of interest to web administrators,		>	; The information in this article is of interest to web administr
	>	server developers and web developers.  Another article for		>	ators, server developers and web developers.  Another articl
	>	server programmers discussing <a class="internal" href="/En/Serve		>	e for server programmers discussing <a class="internal" href="/En
	>	r-Side_Access_Control" title="En/Server-Side Access Control">cros		>	/Server-Side_Access_Control" title="En/Server-Side Access Control
	>	s-origin sharing from a server perspective (with PHP code snippet		>	">cross-origin sharing from a server perspective (with PHP code s
	>	s)</a> is supplementary reading.  On the client, the browser		>	nippets)</a> is supplementary reading.  On the client, the b
	>	handles the components of cross-origin sharing, including header		>	rowser handles the components of cross-origin sharing, including
	>	s and policy enforcement.  The introduction of this new capa		>	headers and policy enforcement.  The introduction of this ne
	>	bility, however, does mean that servers have to handle new header		>	w capability, however, does mean that servers have to handle new
	>	s, and send resources back with new headers.		>	headers, and send resources back with new headers.

Back to History