My understandings of CORS

CORS РCross Origin Resource Sharing, is mainly a stuff on client side(more accurately, a browser) . It is a policy exerted by modern browsers to block accessing resources  on different origins(domains). For example, a javascript code on is trying to access a url on via ajax call, this is a cross-domain request, which is prohibited by default by your browser. However, you can write your own browser to work it around. Other client apps can totally ignore this policy and visit other domains freely. It is almost nothing to do with server unless the server wants to cooperate with browsers to realize resource sharing. If wants to share a page with, i.e, it wants the browsers visiting can get pages from, the web server should feed a specific header called Access-Control-Allow-Origin for those pages. In this header, *) should be specified which means allowing to get the page. The browser receives the header and sees is in the header Access-Control-Allow-Origin so it continues to transfer the data to the upper layer. If it cannot see this header, it will report  an error to the upper layer and discard other data it received.

Comments are closed, but trackbacks and pingbacks are open.