O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

CORS Essentials

Book Description

Share code and assets across domains in Web applications with CORS

About This Book

  • A step-by-step guide but at a high level/fast pace. Not all steps are covered as a basic knowledge is assumed
  • Provides a basic overview of the concepts but the focus is on providing the practical skills required to develop applications
  • Focuses on providing practical examples

Who This Book Is For

Web developers have been limited by the Same Origin Policy and often wish they could spread their application across different domains. You know JavaScript and AJAX, and have run up against the Same Domain Policy, which is limiting your applications.

What You Will Learn

  • Why you need CORS: Bending the Same Origin Policy and basic CORS implementation, headers and XMLHttpRequest
  • Creating proxies for CORS: Sometimes the header is not enough
  • Security: vulnerabilities and how to secure your CORS application
  • CORS implementations in Content Management systems
  • Learn about CORS in Windows applications
  • Take CORS on the Cloud
  • Apply CORS in Node.js
  • Best practices for CORS

In Detail

This book explains how to use CORS, including specific implementations for platforms such as Drupal, WordPress, IIS Server, ASP.NET, JBoss, Windows Azure, and Salesforce, as well as how to use CORS in the Cloud on Amazon AWS, YouTube, Mulesoft, and others. It examines limitations, security risks, and alternatives to CORS. It explores the W3C Specification and major developer documentation sources about CORS. It attempts to predict what kinds of extension to the CORS specification, or completely new techniques, will come in the future to address the limitations of CORS

Web developers will learn how to share code and assets across domains with CORS. They will learn a variety of techniques that are rather similar in their method and syntax. The book is organized by similar types of framework and application, so it can be used as a reference. Developers will learn about special cases, such as when a proxy is necessary. And they will learn about some alternative techniques that achieve similar goals, and when they may be preferable to using CORS

Style and approach

A step-by-step guide filled with real-world applications

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. CORS Essentials
    1. Table of Contents
    2. CORS Essentials
    3. Credits
    4. About the Authors
    5. www.PacktPub.com
      1. eBooks, discount offers, and more
        1. Why subscribe?
    6. Customer Feedback
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
        1. Customer support
        2. Errata
        3. Piracy
        4. Questions
    8. 1. Why You Need CORS
      1. The same-origin policy
      2. Considering the origin of entities
        1. Internet Explorer exception policy
      3. Commonly allowed cross-origin resource sharing
        1. DOM elements allowed for cross-origin sharing
        2. Allowing cross-origin sharing in WebSockets
        3. Limited cross-origin JavaScript API access
      4. Permissions required by JavaScript
        1. JavaScript data storage access is strictly limited by origin
      5. How CORS works – the header and the request
        1. The CORS header
        2. Example 1 – CORS request with JavaScript
          1. Passing a request to a utility function
        3. Example 2: the CORS transaction to retrieve the title tag
        4. Distributing DOM elements to multiple domains
          1. Putting it all together
          2. Securing when all domains are whitelisted
          3. Methods to add security when a CORS header whitelists all domains
        5. Simple CORS request methods
      6. CORS with Preflight
        1. Triggering a preflight by setting a custom header
          1. The preflight request
          2. The preflight response
        2. CORS via jQuery
        3. Known issues with CORS preflight
          1. Preflight in Firefox
          2. Preflight in Chrome
          3. Preflight in Internet Explorer
        4. Non-simple CORS request methods and headers require preflight
        5. Checking for the withCredentials property
      7. Troubleshooting and debugging CORS
        1. Browser support for crossorigin attribute in the <script> tag
      8. CORS with jQuery
        1. jQuery CORS AJAX plugin
      9. Enabling CORS globally with server configuration
      10. Alternatives to CORS
        1. Example of JSON-P
        2. Using JSON-P – limitations and risks
        3. Proposed JSON-P validation standard
        4. WebSocket
          1. WebSocket handshakes
          2. WebSocket and cross-domain resource sharing
          3. Risks of using WebSocket for cross-domain resource sharing
        5. The window.postMessage method
          1. postMessage risks and security measures
      11. Summary
    9. 2. Creating Proxies for CORS
      1. Proxies and the World Wide Web
      2. What is a proxy server?
      3. Reasons to use a proxy
        1. Avoid mixing up protocols
        2. Some API platforms require proxies or CORS
        3. Getting through a local network firewall
        4. Types of proxy server
      4. Creating a proxy server with Google App Engine
        1. Reverse proxy server
        2. Reverse proxy server with Apache VirtualHost and .htaccess
          1. Reverse proxy server in node.js
      5. Summary
    10. 3. Usability and Security
      1. CORS usability
        1. Browser support for CORS
        2. Detecting AJAX support in the browser
        3. Using preflight for non-simple CORS requests
        4. The HTTP request headers
        5. HTTP response headers
      2. Enhancing security in CORS
        1. Limiting access when using the Access-Control-Allow-Origin, * wildcard
          1. Trusting the HTTP_ORIGIN header is not recommended
          2. Requests with credentials
        2. CORS security cheat sheet by OWASP
      3. Summary
    11. 4. CORS in Popular Content Management Frameworks
      1. Incoming CORS requests
      2. SAAS or self-hosted?
      3. CORS in WordPress
        1. Limited support for CORS in SAAS WordPress.com
          1. Unauthenticated GET requests to WordPress.com
          2. Authenticated requests to WordPress.com
        2. CORS in self-hosted WordPress
          1. Adding the Access-Control-Allow-Origin header in a template
          2. WordPress plugins for CORS
            1. WP-CORS plugin for WordPress
            2. Allow CORS XML-RPC plugin for WordPress
      4. CORS in Drupal
        1. Enabling CORS in Drupal with custom code
          1. Using the drupal_add_http_header function
          2. Adding CORS support with .htaccess
          3. Adding the CORS headers with custom code
        2. Drupal contributed modules for CORS
          1. Drupal CORS module
        3. Drupal CDN module
        4. Drupal Amazon S3 CORS upload module
        5. CORS in Drupal 8 core
      5. CORS in Joomla!
        1. setHeader in JApplication web
        2. matware-libraries on GitHub
        3. Allowing CORS in the .htaccess file
      6. CORS in Adobe Experience Manager
        1. The com.adobe.cq.social.commons.cors package
          1. Methods in the CORSAuthenticationFilter class
          2. Methods In the CORSConfig class
          3. Methods in the CORSAuthInfoPostProcessor class
        2. Adding CORS headers in Scene 7 with a ruleset
        3. Configuring the Sling Referrer Filter in the CRX Console
      7. Summary
    12. 5. CORS in Windows
      1. Incoming CORS requests
      2. How to set the Access-Control-Allow-Origin header globally in Windows IIS Server
        1. Setting CORS headers globally with web.config for IIS7 Server
        2. Setting CORS headers globally with IIS manager for IIS 8.5 and higher
      3. CORS in the ASP.NET Web API
        1. Enabling CORS in the ASP.NET Web API
        2. Installing the Web API Cross-Origin Support Package
        3. Enabling the CorsMessageHandler
        4. The EnableCorsAttribute class sets the CORS policies
        5. Configuring the EnableCors class attributes in the ASP.NET Web API
          1. Example: setting CORS policy for HTTP methods GET, PUT, and POST
          2. Setting CORS policy with wildcards
            1. Example: Setting CORS policy globally with wildcards
            2. Example: Setting a global CORS policy with the WebApiConfig class
          3. Disallowing CORS in classes or methods
            1. Example: Using explicit values for HTTP methods
            2. Example: Using the DisableCors attribute
        6. Dynamic ASP.NET Web API CORS policies
          1. Custom CORS policy attribute classes
            1. Example: A custom CORS policy class
          2. Custom policy provider factory
            1. Registering the DynamicPolicyProviderFactory in WebApiConfig
            2. Example: A custom CORS policy provider factory
        7. Debugging the ASP.NET Web API Cross-Origin support framework
          1. Server-side debugging
          2. Client-side debugging
      4. CORS in Windows Communication Foundation
      5. CORS in Windows browsers – Internet Explorer and Edge
      6. Summary
    13. 6. CORS in the Cloud
      1. CORS requests in cloud APIs
      2. CORS in Amazon Simple Storage Service (S3)
        1. Scenarios for needing CORS in Amazon S3
        2. How to enable CORS on an S3 bucket
        3. Elements in an S3 CORSRule
          1. AllowedOrigin element (required)
          2. AllowedMethod element (required)
          3. AllowedHeader element (optional, required for preflight)
          4. MaxAgeSeconds element (optional)
          5. ExposeHeader element (optional)
        4. CORSConfiguration CORSRules with required elements
        5. CORSConfiguration CORSRule with optional elements
        6. How does Amazon S3 evaluate the CORS Configuration on a bucket?
      3. Using CORS in Google Cloud Storage
        1. Configuring CORS on a bucket in Google Cloud Storage
          1. Using gsutil cors set in Google Cloud Storage
          2. Using the XML API in Google Cloud Storage
            1. Getting CORS configuration for a bucket with the XML API
            2. Putting a CORSConfig on a bucket with the XML API
        2. Troubleshooting CORS-related problems in Google Cloud Storage
          1. Problems with headers
          2. Problems with cached preflight requests
          3. Problems with the resumable upload protocol
      4. Authenticated access to Google APIs with CORS
        1. Google API Keys
        2. Adding the Google API client library for JavaScript
        3. The Google API CORS request
        4. Authenticated CORS requests to Google APIs with OAuth
          1. Example using the Authorization request header
          2. Example using the access_token in the URL parameter
      5. CORS in IBM Cloudant
        1. How to GET or PUT a CORS configuration in IBM Cloudant
          1. How to GET a CORS Configuration
          2. Set or Modify a CORS Configuration
        2. Security considerations when CORS in IBM Cloudant
      6. CORS in Windows Azure Storage
        1. CORS usage scenarios for Windows Azure Storage
          1. CORS for Windows Azure Blobs (file uploads)
          2. CORS for Windows Azure Table
        2. Preflight requests in Windows Azure
        3. Code examples for CORS in Windows Azure
          1. Static CORS rules in Windows Azure
          2. Dynamically configuring CORS in Windows Azure
            1. Enabling CORS on a Windows Azure Storage account for the blob (file) service
          3. JavaScript code for uploading an image to a Windows Azure Storage Blob service with CORS in ASP.NET
          4. CORS on a Windows Azure Storage account for the table service
      7. CORS in Box API
      8. CORS in the Dropbox API
      9. Summary
      10. References
    14. 7. CORS in Node.js
      1. JavaScript frameworks are very popular
      2. Introduction to Node.js
      3. JavaScript frameworks that work with Node.js
        1. Express.js is a Node.js server framework
        2. AngularJS extends static HTML with dynamic views
        3. Connect.js provides middleware for Node.js requests
        4. Backbone.js often uses a Node.js server
        5. ReactJS handles user interfaces
        6. Socket.IO uses WebSockets for real-time, event-driven applications
        7. Ember.js can use Node.js
      4. CORS in Express.js
      5. CORS npm for Express.js using Connect.js middleware
        1. Configuration options for CORS npm
        2. Code examples for CORS npm
          1. Enable CORS globally for all origins and all routes
          2. Allowing CORS for dynamic origins for a specific route
          3. Enabling CORS preflight
          4. Configuring CORS asynchronously
      6. CORS in AngularJS
        1. Enabling CORS in AngularJS
        2. Making a CORS request in AngularJS
      7. CORS in Backbone.js
        1. Using Backbone.CrossDomain to modify Backbone.sync
        2. How to proxy Backbone.sync for cross-domain requests
        3. jQuery Ajax needs to use the XHR Header
        4. Ember.js also relies on CORS-enabled jQuery AJAX
        5. Socket.IO manages origins for security
      8. Node.js and JavaScript frameworks are evolving rapidly
      9. Summary
      10. References
    15. 8. CORS Best Practices
      1. Enabling API to public CORS requests
      2. Limiting API to allow CORS requests to a whitelisted set of origins
      3. Protecting against cross-site request forgery (CSRF)
        1. Minimizing preflight requests
      4. Summary
    16. Index