Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Point of CORS HTTP Headers

Tags:

javascript

http

security

cors

The following MDN article discusses CORS headers: Cross-Origin Resource Sharing (CORS)

My question is rather basic:

Given a simple request (not preflighted): What is the point of adding CORS headers server-side, if we send the requested resource with the HTTP response regardless (i.e. send resource with the same message as the CORS response headers)? I thought the whole point of the CORS headers was for the UA to only receive the requested resource if the server permitted it.

Would it not be easier to just send or not send the resource, depending on which client asks?

like image 839
Magnus Avatar asked Oct 19 '25 10:10

Magnus

1 Answers

For a same-domain request (which doesn't require CORS) I agree there's not much point in adding CORS headers, but equally it doesn't do any harm.

For cross-origin requests, the headers tell the browser whether the page is allowed access to the resource or not.

It's important to note that it's the browser which controls this, as CORS is a browser-specific technology. CORS restrictions do not apply to non-browser HTTP clients. The server doesn't deny access directly, it merely adds headers which indicate to the browser what it should do with the response in a given scenario - i.e. whether or not it should override the normal "same-origin" policy which browsers implement, and allow access to the resource.

Also, you ask whether it wouldn't just be easier for the server to deny access to the resource depending on what kind of client is making the request. The way HTTP is designed means that who or what the client is is not important, as long as it complies with the standard. The only way to guess at the nature of the client is to read the User-Agent string, but this is trivial to spoof, so you could never use this in the server to implement anything security-related. There's also nothing mandatory in the standards which would allow you to know whether the request was made by AJAX or not (since it's only AJAX requests which are subject to CORS, simply knowing that the client is a browser is insufficient in any case to meet the requirement).

like image 158
ADyson Avatar answered Oct 21 '25 23:10

ADyson
Sign in to Comment

Related questions

How can I clear the screen with javascript?
Get article text from The Guardian API
How to search for multiple strings with AND using JS filter in reactable?
Why does read not return in BYOB mode when stream is closed
state variables returns undefined
Window Alert for electron on main.js
MUI X Data Grid blank/not displaying data?
How do I add JavaScript to a Wordpress Gutenberg custom block?
Hiding and showing span in HTML
How do Java REST calls relate to the front end of a Web Application?
Mongo findOne inside of Array
Regular expression for a password containing at least 2 uppercase letters, 2 lowercase letters, 2 symbols, and 2 numbers in any sequence
Can google closure generated code with advanced settings be reversed engineered?
Close tooltip on click outside of it
Node.js errors fail silently

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!