W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS explained simply

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Fri, 20 Feb 2015 14:10:30 +0100
Message-Id: <1424437830.1456708.230136089.435479C0@webmail.messagingengine.com>
To: Anne van Kesteren <annevk@annevk.nl>, chaals@yandex-team.ru
Cc: Brad Hill <hillbrad@gmail.com>, henry.story@bblfish.net, WebAppSec WG <public-webappsec@w3.org>
On Fri, Feb 20, 2015, at 11:59, Anne van Kesteren wrote:
> CORS addresses two needs:
> 
> 1) Reading the contents of a resource across origins (not possible so
> far)
> 
> 2) Allowing more types of fetches (with other methods and headers) to
> be made across origins.
> 
> Of those, 1) requires altering the response by including some header
> that indicates sharing the body with the other origin is okay and 2)
> requires a preflight.
> 
> The original CORS specification called fetches that did not require a
> preflight "simple", but I have not carried that terminology over into
> Fetch. It is somewhat confusing.

I seem to remember I did a chart showing such a "simple" CORS request:

<http://odin.s0.no/tmp/Hodges_odinho-CORS-Diagram-SimpleRequest.svg>

It wasn't used since it needed some fixes.  Which I didn't do and also
don't remember what was. :)

I think it might look a bit strange on some machines if you don't have
an appropriate font.  It'd be nice to also show a preflight request, and
also the case where there is no CORS header from the server (and thus
the user agent won't let the page read the "hello world" reply).

-- 
  Odin Hørthe Omdal
  odinho@opera.com
Received on Friday, 20 February 2015 13:11:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC