terminology – What is the meaning of CORS?

Question:

I always see the word CORS related to an error that occurred when trying to make an XmlHttpRequest request for a particular page, which does not have the same domain as its source.

Example:

XMLHttpRequest cannot load http://localhost/ . Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin ' http://127.0.0.1 ' is therefore not allowed access.

But what is the meaning of the word CORS ?

Is this word used to define the error that occurred, or some browser security policy?

Answer:

CORS (Cross-Origin Resource Sharing in English and Sharing Cross Origin Resource in Portuguese ) is an agreement about exchanging resources between browser and server when the browser tries to access a domain other than that you are browsing.

It's a set of rules, a W3C specification , for what kind of resources can be accessed, and how to limit them. These rules are implemented by browsers/browsers, and it is this (the browser) that limits access.

These rules were imposed for security reasons. To prevent scripts on the page from freely accessing and making requests to other sites and interacting with them.

On the server side, it may or may not "open" the door to one, several or all requests/domains. This implementation is language-specific but ultimately implies that there are headers present that the browser can read:

Access-Control-Allow-Origin: * // <- aberto para todos
Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com // <- só estes dois dominios podem aceder

Regarding the error:

XMLHttpRequest cannot load http://localhost/ . Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin ' http://127.0.0.1 ' is therefore not allowed access.

When the browser reads the url for example http: it assumes it is an external url. In fact http://localhost/ should be interpreted as "same domain" but because of http the browser thinks it isn't… To solve this problem, which also applies to online domains, relative paths should be used, and not absolute with http... etc .

More reading:

. Wikipedia: https://pt.wikipedia.org/wiki/Cross-origin_resource_sharing

. W3C: https://www.w3.org/TR/cors/ _{In English}

. MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS _{In English}