Ilya Kantor
GitHub
commit
a57edc1036
1 changed files with 3 additions and 3 deletions
|
|
@ -20,7 +20,7 @@ Cross-origin requests -- those sent to another domain (even a subdomain) or prot
|
|||
|
||||
That policy is called "CORS": Cross-Origin Resource Sharing.
|
||||
|
||||
## Why CORS is needed? A brief history
|
||||
## Why is CORS needed? A brief history
|
||||
|
||||
CORS exists to protect the internet from evil hackers.
|
||||
|
||||
|
|
@ -95,7 +95,7 @@ That works, and doesn't violate security, because both sides agreed to pass the
|
|||
|
||||
After a while, networking methods appeared in browser JavaScript.
|
||||
|
||||
At first, cross-origin requests were forbidden. But as a result of long discussions, cross-origin requests were allowed, but any new capabilities unless require an explicit allowance by the server, expressed in special headers.
|
||||
At first, cross-origin requests were forbidden. But as a result of long discussions, cross-origin requests were allowed, but with any new capabilities requiring an explicit allowance by the server, expressed in special headers.
|
||||
|
||||
## Simple requests
|
||||
|
||||
|
|
@ -341,7 +341,7 @@ Access-Control-Allow-Origin: https://javascript.info
|
|||
Access-Control-Allow-Credentials: true
|
||||
```
|
||||
|
||||
Please note: `Access-Control-Allow-Origin` is prohibited from using a star `*` for requests with credentials. Like shown above, there must be exactly the origin there. That's an additional safety measure, to ensure that the server really knows who it trusts to make such requests.
|
||||
Please note: `Access-Control-Allow-Origin` is prohibited from using a star `*` for requests with credentials. Like shown above, it must provide the exact origin there. That's an additional safety measure, to ensure that the server really knows who it trusts to make such requests.
|
||||
|
||||
## Summary
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue