Published on Jan 22 2023
Last updated on Apr 23 2024
Cross-Origin Resource Sharing, or CORS for short, is a mechanism used by web browsers to allow requests made from one domain to access resources on another domain. In simpler terms, it allows websites to interact with resources from different domains. This is important for modern web applications that rely on multiple domains to deliver content and services to users.
Before we dive deeper into CORS, let's first understand the same-origin policy. The same-origin policy is a security feature built into web browsers that prevents a web page from making requests to a different domain than the one it was loaded from. This is to prevent malicious scripts from accessing sensitive information from other domains without the user's consent.
However, there are situations where it is necessary to access resources on another domain. For example, a website may want to display an image or video hosted on another domain, or an API may need to be accessed from a different domain to retrieve data. This is where CORS comes in.
CORS is a set of HTTP headers that allow a server to specify which domains are allowed to access its resources. When a web page makes a request to a server, the server includes these headers in its response to indicate whether the request is allowed or not. If the request is allowed, the browser can access the resource and display it on the web page.
What are HTTP headers?
HTTP headers are pieces of information that are sent between a web server and a web client (usually a web browser) as part of an HTTP request or response. These headers provide additional information about the request or response, such as the content type, the location of a resource, the cache policy, authentication credentials, and more. They allow web applications to communicate additional information beyond the standard request/response, and help to facilitate the transfer of data between the server and client.
Now, let's look at some of the most common problems you may run into with CORS:
When a web page makes a request to a server that is not allowed by CORS, the server will return a CORS error. This error can occur if the server does not include the necessary CORS headers in its response or if the headers are not configured correctly. For example, if a website tries to access an API from a different domain without the proper CORS headers, it will result in a CORS error.
Example: Let's say you have a website that wants to access an API hosted on a different domain. If the API does not have the necessary CORS headers configured, the website will not be able to access the API and will return a CORS error.
When a web page makes a request that requires preflighting, the browser will send an OPTIONS request to the server before sending the actual request. This OPTIONS request is used to check if the server allows the actual request. If the server does not allow the OPTIONS request, the browser will return a CORS error. This can happen if the server does not handle preflight requests properly.
Examples: Suppose you have a website that wants to send a PUT request to an API hosted on a different domain. The browser will first send an OPTIONS request to the API to check if the PUT request is allowed. If the API does not respond with the correct CORS headers, the browser will return a CORS error.
By default, CORS requests do not include credentials such as cookies or authorization headers. If you need to include credentials in your CORS requests, you need to set the 'withCredentials' flag to true. This is important for websites that require users to log in or authenticate to access certain resources.
Example: Imagine you have a website that requires users to log in to access certain resources. If you want to make a CORS request that includes user credentials, such as cookies or an authorization header, you need to set the 'withCredentials' flag to true. If you forget to set this flag, the browser will not send the credentials with the request, and the server may not authenticate the user.
When making CORS requests, the browser will cache the preflight response for a period of time. If the preflight response changes during this time, the browser may return a CORS error even if the new response is valid. This can be a frustrating problem to debug since it may seem like the CORS headers are not being set correctly.
Example: Let's say you have a website that makes a CORS request to an API. The browser will cache the preflight response for a period of time. If the preflight response changes during this time, the browser may return a CORS error even if the new response is valid. This can be a frustrating problem to debug since it may seem like the CORS headers are not being set correctly.
Some older browsers do not support CORS, which can cause problems when making cross-domain requests. In these cases, you may need to use other techniques such as JSONP or a proxy server to make the request. This is rare, but it's something to keep in mind if you're developing for older browsers.
Example: Suppose you are developing a website that needs to support older browsers that do not support CORS. In this case, you may need to use other techniques such as JSONP or a proxy server to make cross-domain requests. For example, you could use JSONP to request data from an API by injecting a script tag into the web page that loads the data from the API.
CORS is an important mechanism that allows websites to access resources on other domains. However, it can also cause problems if not configured correctly. By understanding the most common problems with CORS, you can ensure that your web applications are properly configured and avoid any issues with cross-domain requests.
Written by Alissa Nguyen
FollowAlissa Nguyen is a software engineer with main focus is on building better software with latest technologies and frameworks such as Remix, React, and TailwindCSS. She is currently working on some side projects, exploring her hobbies, and living with her two kitties.
Learn more about me
If you found this article helpful.
You will love these ones as well.
Built and designed by Alissa Nguyen a.k.a Tam Nguyen.
Copyright © 2025 All Rights Reserved.