Compare Revisions
HTTP access control (CORS)
Revision 378345:
Revision 378345 by code_monk on
Revision 389391:
Revision 389391 by Sheppy on
- Title:
- HTTP access control (CORS)
- HTTP access control (CORS)
- Slug:
- HTTP/Access_control_CORS
- HTTP/Access_control_CORS
- Tags:
- "Firefox 3.5", "Same-origin policy", "Security", "XMLHttpRequest", "HTTP", "AJAX"
- "Firefox 3.5", "Same-origin policy", "Security", "XMLHttpRequest", "HTTP", "AJAX"
- Comment:
- Just fixing a simple grammatical error
- minor copy edits
- Content:
-
Revision 378345 Revision 389391 n 8 <strong>Cross-site HTTP requests</strong> are <a href="/en/ n 8 <strong>Cross-site HTTP requests</strong> are <a href="/en/ > HTTP" title="en/HTTP">HTTP</a> requests for resources from a <em> > HTTP" title="en/HTTP">HTTP</a> requests for resources from a <str > different domain</em> than the domain of the resource making the > ong>different domain</strong> than the domain of the resource mak > request. For instance, a resource loaded from Domain A (<sp > ing the request. For instance, a resource loaded from Domai > an class="nowiki">http://domaina.example</span>) such as an HTML > n A (<code><span class="nowiki">http://domaina.example</span></co > web page, makes a request for a resource on Domain B (<span class > de>) such as an HTML web page, makes a request for a resource on > ="nowiki">http://domainb.foo</span>), such as an image, using the > Domain B (<span class="nowiki">http://domainb.foo</span>), such a > <code>img</code> element (<span class="nowiki">http://domainb.fo > s an image, using the <code>img</code> element (<code><span class > o/image.jpg</span>). This occurs very commonly on the web t > ="nowiki">http://domainb.foo/image.jpg</span></code>). This > oday — pages load a number of resources in a cross-site manner, i > occurs very commonly on the web today — pages load a number of r > ncluding CSS stylesheets, images and scripts, and other reso > esources in a cross-site manner, including CSS stylesheets, > urces. > images and scripts, and other resources. t 14 The <a class="external" href="http://www.w3.org/2008/webapp t 14 The <a class="external" href="http://www.w3.org/2008/webapp > s/" title="http://www.w3.org/2008/webapps/">Web Applications Work > s/" title="http://www.w3.org/2008/webapps/">Web Applications Work > ing Group</a> within the <a class="external" href="http://www.w3. > ing Group</a> within the <a class="external" href="http://www.w3. > org/" title="http://www.w3.org/">W3C</a> has proposed the new <a > org/" title="http://www.w3.org/">W3C</a> has recommended the new > class="external" href="http://www.w3.org/TR/cors/" title="http:// > <a class="external" href="http://www.w3.org/TR/cors/" title="http > www.w3.org/TR/cors/">Cross-Origin Resource Sharing</a> (CORS) rec > ://www.w3.org/TR/cors/">Cross-Origin Resource Sharing</a> (CORS) > ommendation, which provides a way for web servers to support cros > mechanism, which provides a way for web servers to support cross- > s-site access controls, which enable secure cross-site data trans > site access controls, which enable secure cross-site data transfe > fers. Of particular note is that this specification is used > rs. Of particular note is that this specification is used w > within an <em>API container</em> such as <code><a class="interna > ithin an <strong>API container</strong> such as <code><a class="i > l" href="/en/DOM/XMLHttpRequest" title="En/XMLHttpRequest">XMLHtt > nternal" href="/en/DOM/XMLHttpRequest" title="En/XMLHttpRequest"> > pRequest</a></code> as a mitigation mechanism, allowing the cross > XMLHttpRequest</a></code> as a mitigation mechanism, allowing the > ing of the same-domain restriction in modern browsers. The > crossing of the same-domain restriction in modern browsers.  > information in this article is of interest to web administrators, > ; The information in this article is of interest to web administr > server developers and web developers. Another article for > ators, server developers and web developers. Another articl > server programmers discussing <a class="internal" href="/En/Serve > e for server programmers discussing <a class="internal" href="/En > r-Side_Access_Control" title="En/Server-Side Access Control">cros > /Server-Side_Access_Control" title="En/Server-Side Access Control > s-origin sharing from a server perspective (with PHP code snippet > ">cross-origin sharing from a server perspective (with PHP code s > s)</a> is supplementary reading. On the client, the browser > nippets)</a> is supplementary reading. On the client, the b > handles the components of cross-origin sharing, including header > rowser handles the components of cross-origin sharing, including > s and policy enforcement. The introduction of this new capa > headers and policy enforcement. The introduction of this ne > bility, however, does mean that servers have to handle new header > w capability, however, does mean that servers have to handle new > s, and send resources back with new headers. > headers, and send resources back with new headers.