CORS (Cross-Origin Resource Sharing) is a system that determines whether to block or fulfill requests for restricted resources on a web page from another domain outside the domain from which the resource originated.
The same-origin security policy forbids "cross-domain" requests by default, CORS gives web servers cross-domain access controls, which enable secure cross-domain data transfers.
Learn more
General knowledge
- HTTP access control (CORS) on MDN
- {{Interwiki("wikipedia", "Cross-origin resource sharing")}} on Wikipedia
CORS headers
- {{HTTPHeader("Access-Control-Allow-Origin")}}
- Indicates whether the response can be shared.
- {{HTTPHeader("Access-Control-Allow-Credentials")}}
- Indicates whether or not the response to the request can be exposed when the credentials flag is true.
- {{HTTPHeader("Access-Control-Allow-Headers")}}
- Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
- {{HTTPHeader("Access-Control-Allow-Methods")}}
- Specifies the method or methods allowed when accessing the resource in response to a preflight request.
- {{HTTPHeader("Access-Control-Expose-Headers")}}
- Indicates which headers can be exposed as part of the response by listing their names.
- {{HTTPHeader("Access-Control-Max-Age")}}
- Indicates how long the results of a preflight request can be cached.
- {{HTTPHeader("Access-Control-Request-Headers")}}
- Used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.
- {{HTTPHeader("Access-Control-Request-Method")}}
- Used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.
- {{HTTPHeader("Origin")}}
- Indicates where a fetch originates from.