HTTP - Cross-Origin Request

About

A cross-origin request is a request that was not created by code (html page, javascript, …)) of the same origin.

A cross site request shares the same top level domain but may be not of same origin if they don't have the same domain

A request that is not a cross-origin request is a same origin request.

A page may contain images or other components stored on servers in other domains (for example, ad banners), which performs then cross_origin request and may set third-party cookies. (Used mainly for advertising and tracking across the web)

Method

Security

You can prevent bad cross origin request:

  • by setting the cors setting on the server level
  • by creating a CSRF token for a form.
  • by setting the crossorigin attributes on HTML elements
  • by controlling that the origin of the request comes from the same origin than when the authentication has occured.

Cookies from the same origin than the destination server are always sent cross-origin to enables user-specific cross-origin APIs

Allowed header

Only the following headers are allowed cross domain:

  • Accept
  • Accept-Language
  • Content-Language
  • Last-Event-ID
  • Content-Type

any others cause a CORS Pre-flight request.





Discover More
Chrome Devtool Xhr Fetch Request
Browser - Web API - Fetch function

The fetch function is part of the web api function and is a AJAX call. It's one of the possibilities to fetch a resource. XMLHttpRequest (XHR) The fetch function returns a promise as response. The Fetch...
Origin Http Header
HTTP - Origin Server (Header Field)

The Origin header is: a header field added to a request by the browser (ie client) with the origin value that indicate the source of the code (HTML, Javascript, ...) that created the request....
HTTP - Referrer-Policy Header

The referrer policy is a security response header that modifies the algorithm used to populate the Referer header when: fetching subresources, prefetching, or performing navigations. referrerpolicyHTML...
Chrome Devtool Har
HTTP - Request

An HTTP request is a message sent from a client to a server. It's the first part of a fetch, the second being the response. A request message has: a first line called the request...
HTTP - Same Origin Request

A request is a same-origin request if: the request’s origin and the origin of request’s current url page are the same. requestsame-origincross origin Two HTTP requests havenot the same origin...
Cors Blocked
How to resolve a blockage due to a CORS policy error? A getting started guide

A detailled step by step guide on why you can get a CORS policy violation and how to simply resolve it
Security - Third Party (3P)

A third party is an external entity to your organization or to your code. In HTTP, a third-party is identified via the origin and if it needs or not to make cross-origin request Example:
Browser
Web Browser - Same-Origin Policy

User agents (such as browser) apply same-origin restrictions to code execution in order to kept data in a location accessible only to the client and the user-agent. browserHTTP client program The...
Browser Scripts Classed By Origin
Web Resource - Origin

The origin is a property of a resource that is used as the scope of privilege for scripts used by user agents (browser) The origin is calculated and set by the browser (ie client) on each resource from...
What are the elements of security in HTTP? Security headers and cookie properties explained

In HTTP, the security is done via the setting of: response header known as security header that drives the execution of the browser page load cookies properties mostly samesite that control if the...



Share this page:
Follow us:
Task Runner