CORS and Access-Control-Allow-Origin
CORS is a specification that enables truly open access across domain boundaries.
Granting JavaScript clients basic access to your resources simply requires adding one HTTP Response Header, namely:
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: http://example.com:8080
The asterisk wild-card permits scripts hosted on any site to load your resources; listing a specific <base URI> will permit scripts hosted on the specified site -- and no others -- to load your resources.
This is compatible with both XHR XMLHttpRequest and XDR XDomainRequest, and is supported by all the major Web browsers.
HTTP Server
Security Note: The examples given below assume a wild-card '*' domain for the Access-Control-Allow-Origin header. This is provided to simplify basic use of CORS, practically meaning "I don't care how this is used." In an intranet setting, this could lead to leakage of data beyond the intranet and therefore should be avoided. In a production setting, you should take advantage of the full features of the CORS specification to make sure it does express your actual security policy. That said, in a typical Open Data situation, the wild-card can be an appropriate use of CORS.
For IIS7
Merge this into the web.config file at the root of your application / site:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
If you don't have a web.config file already, or don't know what one is, just create a new file called "web.config" containing the snippet above.
In ASP.NET
Response.AppendHeader("Access-Control-Allow-Origin", "*");
This is compatible with IIS6, IIS7 Classic Mode, and IIS7 Integrated Mode.
Granting JavaScript clients basic access to your resources simply requires adding one HTTP Response Header, namely:
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: http://example.com:8080
The asterisk wild-card permits scripts hosted on any site to load your resources; listing a specific <base URI> will permit scripts hosted on the specified site -- and no others -- to load your resources.
This is compatible with both XHR XMLHttpRequest and XDR XDomainRequest, and is supported by all the major Web browsers.
HTTP Server
Security Note: The examples given below assume a wild-card '*' domain for the Access-Control-Allow-Origin header. This is provided to simplify basic use of CORS, practically meaning "I don't care how this is used." In an intranet setting, this could lead to leakage of data beyond the intranet and therefore should be avoided. In a production setting, you should take advantage of the full features of the CORS specification to make sure it does express your actual security policy. That said, in a typical Open Data situation, the wild-card can be an appropriate use of CORS.
For IIS7
Merge this into the web.config file at the root of your application / site:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
If you don't have a web.config file already, or don't know what one is, just create a new file called "web.config" containing the snippet above.
In ASP.NET
Response.AppendHeader("Access-Control-Allow-Origin", "*");
This is compatible with IIS6, IIS7 Classic Mode, and IIS7 Integrated Mode.
Comments
Post a Comment