W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS explained simply

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Fri, 20 Feb 2015 14:10:30 +0100
Message-Id: <1424437830.1456708.230136089.435479C0@webmail.messagingengine.com>
To: Anne van Kesteren <annevk@annevk.nl>, chaals@yandex-team.ru
Cc: Brad Hill <hillbrad@gmail.com>, henry.story@bblfish.net, WebAppSec WG <public-webappsec@w3.org>
On Fri, Feb 20, 2015, at 11:59, Anne van Kesteren wrote:
> CORS addresses two needs:
> 1) Reading the contents of a resource across origins (not possible so
> far)
> 2) Allowing more types of fetches (with other methods and headers) to
> be made across origins.
> Of those, 1) requires altering the response by including some header
> that indicates sharing the body with the other origin is okay and 2)
> requires a preflight.
> The original CORS specification called fetches that did not require a
> preflight "simple", but I have not carried that terminology over into
> Fetch. It is somewhat confusing.

I seem to remember I did a chart showing such a "simple" CORS request:


It wasn't used since it needed some fixes.  Which I didn't do and also
don't remember what was. :)

I think it might look a bit strange on some machines if you don't have
an appropriate font.  It'd be nice to also show a preflight request, and
also the case where there is no CORS header from the server (and thus
the user agent won't let the page read the "hello world" reply).

  Odin Hørthe Omdal
Received on Friday, 20 February 2015 13:11:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC