web:http:cross

About

A cross-origin request is a request that was not created by code (html page, javascript, …)) of the same origin.

A cross site request shares the same top level domain but may be not of same origin if they don't have the same domain

A request that is not a cross-origin request is a same origin request.

A page may contain images or other components stored on servers in other domains (for example, ad banners), which performs then cross_origin request and may set third-party cookies. (Used mainly for advertising and tracking across the web)

Method

Browser - Cross Origin Resource Sharing (CORS)
window.postMessage() enables cross-origin communication between Window objects.
This HTML elements are able to create cross-origin request:
- img,
- script,
- and form.

Security

You can prevent bad cross origin request:

by setting the cors setting on the server level
by creating a CSRF token for a form.
by setting the crossorigin attributes on HTML elements
by controlling that the origin of the request comes from the same origin than when the authentication has occured.

Cookies from the same origin than the destination server are always sent cross-origin to enables user-specific cross-origin APIs

Allowed header

Only the following headers are allowed cross domain:

Accept
Accept-Language
Content-Language
Last-Event-ID
Content-Type

any others cause a CORS Pre-flight request.

Table of Contents

About

Method

Security

Allowed header