CORS
Cross Origin Resource Sharing
Hasty Treat - JSON, JSONP and CORS — Syntax Podcast 063
Why CORS¶
Access resources (other than JS) from other domains
Examples
- JSON from any other server
- images from Cloudinary
- fonts from Google Fonts
Preflight request¶
What¶
HTTP OPTIONS request to check whether the server understands CORS
Browser will not send the cross origin request if the server doesn't understand CORS
Why¶
Prevent new ways to CSRF to an old pre-CORS server
- no preflight request for old kinds of requests
- like POST request to get some JS
- POST request to get JSON will send a preflight
Why preflight for every request¶
URLs could be handled by different servers
bank.com/loginbank.com/account
so it has to be for every request
JSONP¶
Since you could request cross origin JS
you wrap JSON in some JS
Last update:
2023-04-24