My understandings of CORS

CORS РCross Origin Resource Sharing, is mainly a stuff on client side(more accurately, a browser) . It is a policy exerted by modern browsers to block accessing resources  on different origins(domains). For example, a javascript code on domain1.com is trying to access a url on domain2.com via ajax call, this is a cross-domain request, which is prohibited by default by your browser. However, you can write your own browser to work it around. Other client apps can totally ignore this policy and visit other domains freely. It is almost nothing to do with server unless the server wants to cooperate with browsers to realize resource sharing. If domain2.com wants to share a page with domain1.com, i.e, it wants the browsers visiting domain1.com can get pages from domain2.com, the web server should feed a specific header called Access-Control-Allow-Origin for those pages. In this header, domain1.com(or *) should be specified which means allowing domain1.com to get the page. The browser receives the header and sees domain1.com is in the header Access-Control-Allow-Origin so it continues to transfer the data to the upper layer. If it cannot see this header, it will report  an error to the upper layer and discard other data it received.

Comments are closed, but trackbacks and pingbacks are open.