DEV Community

clusterO
clusterO

Posted on

1 1

Cross-origin resource sharing (CORS)

Cross-origin resource sharing" (CORS) is a mechanism that allows resources on a web page to be requested from another domain outside the domain from which the resource originated. This is useful for AJAX applications where JavaScript running in the browser may make requests to other domains (e.g. requesting JSON data from a server) or when web pages are served by a web server other than the one that generated them (e.g. when using content delivery networks). CORS is designed to allow safe cross-domain requests, while at the same time preventing malicious cross-domain requests.

In CORS, an HTTP request is made to a server in a different domain using an HTTP method other than GET or HEAD, and includes an Origin header field in the request. The server then checks whether the origin of the request matches any of the origins allowed by the Access-Control-Allow-Origin header field in the response. If so, it returns an Access-Control-Allow-Origin header field in the response containing the origin that was matched. The browser then checks this value against its list of domains and if it matches, allows the resource to be loaded. If it does not match, the resource is blocked from loading.

The following code snippet shows how to use CORS with PHP:

<?php header('Access-Control-Allow-Origin: *'); 
   header('Access-Control-Allow-Methods: GET, POST'); 
   header('Access-Control-Allow-Headers: Content-Type'); 
   header('Access-Control-Max-Age: 86400'); 
?> 

<script type="text/javascript"> // Set up headers for CORS 
   var xhr = new XMLHttpRequest(); 
   xhr.open("GET", "https://example.com/api/v1/user", true); 
   xhr.setRequestHeader("Accept", "application/json"); 
   xhr.setRequestHeader("Content-Type", "application/json"); 
   xhr.setRequestHeader("X-Requested-With", 
      "XMLHttpRequest"); 
   xhr.onload = function() { 
      console.log(this.responseText); 
   }; 
   xhr.send(); 
</script>
Enter fullscreen mode Exit fullscreen mode

For more information about CORS, see What is Cross Origin Resource Sharing? on MDN Web Docs and Cross Origin Resource Sharing on HTML5 Rocks .

Note: In JavaScript, sending a preflight OPTIONS request to find out what origins are allowed for a given resource is not supported by all browsers

profile
Sentry
 Promoted

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Top comments (0)

profile
Coherence
 Promoted

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Read next

alimehr75 profile image

Alertmanager with Telegram for Prometheus-Stack in K8S

AliMehraji -

gateru profile image

The Ultimate Guide to Chart Types in Power BI

Kaira Kelvin. -

masterplanner25 profile image

2025 ChatGPT Case Study: Resume Building

Shawn knight -

babakks profile image

Godoc-Lint: a linter for Go Doc Comments (godocs) [RE#16]

Babak K. Shandiz -

DEV Live Events

Instrument, monitor, fix: a hands-on debugging session

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

Tune in to the full event

DEV is partnering to bring live events to the community. Join us or dismiss this billboard if you're not interested. ❤️