Geek Answers Handbook

Understanding CORS

I looked on the Internet regarding CORS, and I wanted to confirm what I made of it, that it really is.

Mentioned below is a completely fictional scenario.

I will give an example of a regular website. Say my html page has a form that shows the name of a text field. When submitting data, it sends the form data to myPage.php . Now, what is happening internally, the server sends a request to www.mydomain.com/mydirectory/myPage.php along with the text fields. Now the server sees that the request was fired from the same domain / port / protocol

( Question 1. How does the server know about all these details. Where does it retrieve all this data from? )

However, since the request is created from the same domain, it is a php script server and returns everything that is required of it.

Now, for the sake of argument, let's say I don’t want to manually fill in the data in the text box, but instead I want to do it programmatically. What I do, I create an html page with javascript and run a POST request along with the parameters (i.e. textField Values). Now, since my request is not from any domain as such, the server ignores the service for my request. and i get a cross domain error?

Similarly, I could write a Java program as well that uses an HTTPClient / Post request and does the same.

Question 2: Is this a problem?

Now that CORS gives us, the server says that "anyone can access myPage.php." From enable cors.org it says

For simple CORS requests, the server needs to add the following header to the response: Access-Control-Allow-Origin: *

Now, what exactly is the client going to do with this header. As in the case, did the client somehow want to make a call to resources on the server? He needs to be up to the server to just configure himself whether he wants to accept or not, and act accordingly.

Question 3: How to use sending the header back to the client (who has already made a request to the server)?

And finally, I do not understand that, say, I am creating some RESTful services for my Android application. Now, let's say I have one POST service www.mydomain.com/rest/services/myPost . I have a Tomcat server serving these services on my local machine.

In my Android app, I just call this service and return the result (if any). Where exactly did I use CORS in this case. Does this fall under a different category of server calls? If so, how exactly.

Also, I checked Enable Cors for Tomcat and it says that I can add a filter to my web.xml of my dynamic web project and then it will start accepting it.

Question 4: Is this what allows you to call from my Android device to my web services?

thanks

+7
web-services cors
source share
2 answers

  • First of all, cross-domain verification is performed by the browser , not the server. When JavaScript does an XmlHttpRequest on a server other than its origin, if the browser supports CORS, it initializes the CORS process. Or else, the request will result in an error (if the user has not intentionally reduced browser security)

  • When the server encounters the Origin HTTP header, the server will decide whether it is on the list of allowed domains. If it is not in the list, the request will fail (that is, the server will send an error response).

For numbers 3 and 4, I think you should ask separate questions. Otherwise, this question will become too broad. And I think that it will come quickly if you do not delete it.

For an explanation of CORS, see this answer from programmers: https://softwareengineering.stackexchange.com/a/253043/139479

NOTE. CORS is rather an agreement. This does not guarantee safety. You can write a malicious browser that ignores the same domain policy. And it will execute JavaScript extracted from any site. You can also create HTTP headers with arbitrary Origin headers and retrieve information from any third-party server that implements CORS. CORS only works if you trust your browser.

+7
source share

In question 3, you need to understand the relationship between the two sites and the client’s browser. As Krumia said in his response, this is more likely an agreement between the three parties to the request.

I recently posted an article that details how CORS handshakes are designed to work.

+1
source share

More articles:


All Articles