= CORS (cross origin resource sharing) = * https://www.tutorialspoint.com/spring_boot/spring_boot_cors_support.htm Cross-Origin Resource Sharing (CORS) is a security concept that allows restricting the resources implemented in web browsers. It prevents the Javascript code producing or consuming the requests against different origin. * https://en.wikipedia.org/wiki/Cross-origin_resource_sharing The CORS standard describes new HTTP headers which provide browsers a way to request remote URLs only when they have permission * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Examples Limiting the possible '''Access-Control-Allow-Origin''' values to a set of allowed origins requires code on the server side to check the value of the Origin request header, compare that to a list of allowed origins, and then if the Origin value is in the list, to set the '''Access-Control-Allow-Origin''' value to the same value as the Origin value == Headers == * https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Headers Response headers * Access-Control-Allow-Origin * Access-Control-Allow-Credential == PHP example == === read.example.org/index.php === {{{#!highlight php }}} === auth.example.org/index.php === {{{#!highlight php }}} === app.example.org/index.html === {{{#!highlight html

}}} === Apache vhosts configuration === {{{ ServerName app.example.org DocumentRoot "/var/www/htdocs/app.example.org" Require local AllowOverride All ServerName auth.example.org DocumentRoot "/var/www/htdocs/auth.example.org" Require local AllowOverride All ServerName read.example.org DocumentRoot "/var/www/htdocs/read.example.org" Require local AllowOverride All }}} == Spring pointers == * https://spring.io/guides/gs/rest-service-cors/ * https://www.baeldung.com/spring-cors Just adding the annotation @CrossOrigin on an endpoint makes it accept all origins, == Firefox browser tests == The URL in the tab where the test is made must be different than the URL called in window.fetch(). === No CORS support on server side === {{{#!highlight javascript window.fetch('http://localhost:8080/').then( (response)=>{ response.text().then( (data)=>{ console.log(data); } ); }); }}} Outputs something like {{{ Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8080/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200. Uncaught (in promise) TypeError: NetworkError when attempting to fetch resource. }}} === CORS support on server side === Returns header '''Access-Control-Allow-Origin: *''' {{{#!highlight javascript window.fetch('http://localhost:8080/').then( (response)=>{ response.text().then( (data)=>{ console.log(data); } ); }); }}} Outputs something like {{{ Hello world }}} curl output {{{#!highlight bash curl http://localhost:8080/ -vvv * Trying ::1:8080... * Connected to localhost (::1) port 8080 (#0) > GET / HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.74.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < X-Powered-By: Stuff < Access-Control-Allow-Origin: * < Content-Type: text/html; charset=utf-8 < Content-Length: 12 < ETag: W/"c-6eJ/8x1yhzVLKoaKtBjtX4fCBSk" < Date: Thu, 27 Oct 2022 20:41:15 GMT < Connection: keep-alive < Keep-Alive: timeout=5 < * Connection #0 to host localhost left intact Hello world }}}