Share on :
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.
There are mainly 2 headers that we are interested in :
By default, cross origin ajax requests are blocked by the browser, but what this header does in allowing certain origin/s to make unauthenticated requests to the origin responding with the header
allow-content-allow-origin is set to allow you fetching data from the responding origin, you can't send HTTP cookies along with the requests, so what
allow-content-allow-credentials header does is allowing you to send HTTP cookies with the request
allow-content-allow-originis set to
*this means that it'l accept requests from any other origin
allow-content-allow-originis set to a dynamically assigned value this can be manipulated by the user granting themself the privilege of fetching data from the responding origin
allow-content-allow-credentialsis set to
Truethis means that you can fetch authenticated user's data if you make requests using their browser.