This chapter covers

• Understanding the same-origin policy
• Sending and receiving simple CORS requests
• Implementing CORS with django-cors-headers
• Sending and receiving preflighted CORS requests

In chapter 15, you learned that an origin is defined by the protocol (scheme), host, and port of a URL. Every browser implements a same-origin policy (SOP). The goal of this policy is to ensure that certain resources are accessible to documents with only the “same origin.” This prevents a page with an origin of mallory.com from gaining unauthorized access to a resource originating from ballot.charlie.com.

Think of Cross-Origin Resource Sharing (CORS) as a way to relax the browser’s SOP. This allows social.bob.com to load ...