CORS and its role for developing and RestAPI

CORS and its role for developing and RestAPI

Servers are used to host web pages, applications, images, fonts, and much more. When you use a web browser, you are likely attempting to access a distinct website (hosted on a server). Websites often request these hosted resources from different locations (servers) on the Internet. Security policies on servers mitigate the risks associated with requesting assets hosted on different server.

There are many resource sharing solutions for all web technologies. The overall concepts, however, will always be the same. By understanding security policies like CORS, you can understand how risky behavior like downloading assets from external origins - are mitigated.

CORS stands for Cross-Origin Resource Sharing. It's a standard for accessing web resources on different domains. It allows servers to specify who (i.e., which origins) can access the assets on the server, among many other things. Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML

It's a W3C spec that allows cross-domain communication from the browser. By building on top of the XMLHttpRequest object, CORS allows developers to work with the same idioms as same-domain requests.

CORS defines a way in which a browser and server can interact to determine whether or not it is safe to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests but is more secure than simply allowing all cross-origin requests.

Browsers limit most calls to the same origin for security reasons. Images, iframes, stylesheets, and scripts are exempted from this rule. This limitation is made by the browser, not the website it is accessing. But it is the website you are accessing that dictates whether you can use the resources or not.

CORS is a way to tell the browser that it is okay to use data from another domain. The website that the browser calls acknowledge that the data can be accessed by setting the Access-Control-Allow-Origin header.

CORS is supported by all modern browsers - except for Opera Mini (currently).

Why is CORS most important?

Allowing cross-origin requests is helpful, as many websites today load resources from different places on the Internet (stylesheets, scripts, images, and more).

JavaScript and web programming has grown by leaps and bounds over the years, but the same-origin policy still remains. This prevents JavaScript from making requests across domain boundaries and has spawned various hacks for making cross-domain requests. CORS introduces a standard mechanism that can be used by all browsers for implementing cross-domain requests. The spec defines a set of headers that allow the browser and server to communicate about which requests are (and are not) allowed. CORS continues the spirit of the open web by bringing API access to all. The content on this site stays fresh.

This is set to the domain of where the browser is calling from. In turn, the request of the browser which accesses the cross-origin resource contains an ‚ÄčOrigin header - which is the domain it is calling from. This way the browser knows that it is okay for the current website to get data from the cross-domain - or deny it.


Supporting CORS from the server not only helps in retaining maximum control on who can access server resources but also ensures that application servers cater to the maximum audience possible that need to access server resources -something that is important for the growth of any business.

How does it work?

The use-case for CORS is simple. Imagine the site has some data that the site wants to access. This type of request traditionally wouldn’t be allowed under the browser’s same origin policy. However, by supporting CORS requests, can add a few special response headers that allow to access the data. As you can see from this example, CORS support requires coordination between both the server and client. Luckily, if you are a client-side developer you are shielded from most of these details. This shows how clients can make cross-origin requests, and how servers can configure themselves to support CORS.

Recommended for you