Same-Origin Policy (SOP)

  • Javascript code can only access data from the same origin (scheme + host + port)

  • Very limited access to cross-origin sites (unless server is configured to allow)

  • Scripts, images, static files that remain relatively constant often are not protected by SOP

  • Dynamic content is often protected by SOP

Allowing cross-origin

Why Allow

  • To allow API endpoints that are located on a different (sub)domain
  • Scripts, images, content that is hosted on a different domain

Headers

In order for cross-origin requests to work, the browser must receive several special headers from the server response

  • Access-Control-Allow-Origin - List of origins allowed
  • Access-Control-Allow-Methods - List of methods allowed
  • Access-Control-Allow-Headers - List of non-standard headers
  • Access-Control-Max-Age - Value in secs to cache preflight req

Browsers often request these headers through the OPTION method