What the hell is CORS
Oct 13 2016
Access-Control-Allow-Origin. It seems that many developers do not fully understand CORS, which, historically, was the case for me as well.
CORS is an acronym that stands for Cross-origin Resource Sharing. This is a mechanism that allows resources to be shared between domains. CORS exists because of something called the Same-origin policy.
https://facebook.com, you will probably see something alongs the lines of
XMLHttpRequest cannot load https://facebook.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://blog.damonkelley.me' is therefore not allowed access.
Cross-origin Resource Sharing
CORS is a way through the Same-origin policy. There are many scenarios where it is legitimate for a page on a different domain to interact with a resource on another domain. This is likely to occur in a web application that has a separate frontend and backend that communicate with each other over an HTTP API. This might be
app.example.com trying to request data from
In order to inform the browser that this channel of communication is OK, the server must respond with a
Access-Control-Allow-Origin header that matches the origin of the request.
(Mostly) the respsonsibility of the browser
An important thing to understand is that both Same-origin policy and Cross-origin resource sharing are responsibilities of the browser. The browser is what enforces Same-origin policy as a security measure, thus it is the entity that allows for CORS. The server is only involved to the extent that it dictates which origins the browser should allow.