CORS Essentials
By Randall Goya and Gunasundaram Rajesh
()
About this ebook
- A step-by-step guide but at a high level/fast pace. Not all steps are covered as a basic knowledge is assumed
- Provides a basic overview of the concepts but the focus is on providing the practical skills required to develop applications
- Focuses on providing practical examples
Web developers have been limited by the Same Origin Policy and often wish they could spread their application across different domains. You know JavaScript and AJAX, and have run up against the Same Domain Policy, which is limiting your applications.
Related to CORS Essentials
Related ebooks
CORS in Action: Creating and consuming cross-origin APIs Rating: 0 out of 5 stars0 ratingsNode.js Web Development - Third Edition Rating: 2 out of 5 stars2/5WebRTC Integrator's Guide Rating: 5 out of 5 stars5/5ASP.NET Core Security Rating: 5 out of 5 stars5/5Node.js Design Patterns Rating: 4 out of 5 stars4/5API Security in Action Rating: 5 out of 5 stars5/5MEAN Web Development Rating: 5 out of 5 stars5/5Node.js Design Patterns - Second Edition Rating: 4 out of 5 stars4/5PHP Microservices Rating: 3 out of 5 stars3/5Web Application Development with MEAN Rating: 0 out of 5 stars0 ratingsMastering JavaScript Single Page Application Development Rating: 0 out of 5 stars0 ratingsRESTful Java Web Services - Second Edition Rating: 0 out of 5 stars0 ratingsExpress in Action: Writing, building, and testing Node.js applications Rating: 4 out of 5 stars4/5Redux in Action Rating: 0 out of 5 stars0 ratingsBuilding Scalable Apps with Redis and Node.js Rating: 0 out of 5 stars0 ratingsGetting Started with React Rating: 0 out of 5 stars0 ratingsCross-Platform Desktop Applications: Using Node, Electron, and NW.js Rating: 0 out of 5 stars0 ratingsJasmine JavaScript Testing - Second Edition Rating: 0 out of 5 stars0 ratingsTest-Driven JavaScript Development Rating: 0 out of 5 stars0 ratingsNode.js in Practice Rating: 0 out of 5 stars0 ratingsReact Design Patterns and Best Practices Rating: 0 out of 5 stars0 ratingsBuilding Microservices with .NET Core Rating: 1 out of 5 stars1/5Concurrency in .NET: Modern patterns of concurrent and parallel programming Rating: 0 out of 5 stars0 ratingsNode.js in Action Rating: 0 out of 5 stars0 ratingsMastering React Test-Driven Development: Build rock-solid, well-tested web apps with React, Redux and GraphQL Rating: 0 out of 5 stars0 ratingsASP.NET Core 3 and React: Hands-On full stack web development using ASP.NET Core, React, and TypeScript 3 Rating: 0 out of 5 stars0 ratingsReact Hooks in Action: With Suspense and Concurrent Mode Rating: 5 out of 5 stars5/5WebRTC Blueprints Rating: 0 out of 5 stars0 ratingsGetting MEAN with Mongo, Express, Angular, and Node Rating: 5 out of 5 stars5/5
Internet & Web For You
Coding For Dummies Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsNo Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Rating: 4 out of 5 stars4/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Six Figure Blogging Blueprint Rating: 5 out of 5 stars5/5How To Start A Profitable Authority Blog In Under One Hour Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Podcasting For Dummies Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5The Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5How To Make Money Blogging: How I Replaced My Day-Job With My Blog and How You Can Start A Blog Today Rating: 4 out of 5 stars4/5Get Rich or Lie Trying: Ambition and Deceit in the New Influencer Economy Rating: 0 out of 5 stars0 ratingsHacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How To Start A Podcast Rating: 4 out of 5 stars4/5Python QuickStart Guide: The Simplified Beginner's Guide to Python Programming Using Hands-On Projects and Real-World Applications Rating: 0 out of 5 stars0 ratingsWireless Hacking 101 Rating: 4 out of 5 stars4/5Six Figure Blogging In 3 Months Rating: 4 out of 5 stars4/5The $1,000,000 Web Designer Guide: A Practical Guide for Wealth and Freedom as an Online Freelancer Rating: 5 out of 5 stars5/5The Logo Brainstorm Book: A Comprehensive Guide for Exploring Design Directions Rating: 4 out of 5 stars4/5The Gothic Novel Collection Rating: 5 out of 5 stars5/5Tube Ritual: Jumpstart Your Journey to 5000 YouTube Subscribers Rating: 0 out of 5 stars0 ratingsThe Mega Box: The Ultimate Guide to the Best Free Resources on the Internet Rating: 4 out of 5 stars4/5The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5Remote/WebCam Notarization <<Extended>> Commonwealth of Virginia Rating: 0 out of 5 stars0 ratings
Reviews for CORS Essentials
0 ratings0 reviews
Book preview
CORS Essentials - Randall Goya
Table of Contents
CORS Essentials
Credits
About the Authors
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Customer Feedback
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Why You Need CORS
The same-origin policy
Considering the origin of entities
Internet Explorer exception policy
Commonly allowed cross-origin resource sharing
DOM elements allowed for cross-origin sharing
Allowing cross-origin sharing in WebSockets
Limited cross-origin JavaScript API access
Permissions required by JavaScript
JavaScript data storage access is strictly limited by origin
How CORS works – the header and the request
The CORS header
Example 1 – CORS request with JavaScript
Passing a request to a utility function
Example 2: the CORS transaction to retrieve the title tag
Distributing DOM elements to multiple domains
Putting it all together
Securing when all domains are whitelisted
Methods to add security when a CORS header whitelists all domains
Simple CORS request methods
CORS with Preflight
Triggering a preflight by setting a custom header
The preflight request
The preflight response
CORS via jQuery
Known issues with CORS preflight
Preflight in Firefox
Preflight in Chrome
Preflight in Internet Explorer
Non-simple CORS request methods and headers require preflight
Checking for the withCredentials property
Troubleshooting and debugging CORS
Browser support for crossorigin attribute in the
CORS with jQuery
jQuery CORS AJAX plugin
Enabling CORS globally with server configuration
Alternatives to CORS
Example of JSON-P
Using JSON-P – limitations and risks
Proposed JSON-P validation standard
WebSocket
WebSocket handshakes
WebSocket and cross-domain resource sharing
Risks of using WebSocket for cross-domain resource sharing
The window.postMessage method
postMessage risks and security measures
Summary
2. Creating Proxies for CORS
Proxies and the World Wide Web
What is a proxy server?
Reasons to use a proxy
Avoid mixing up protocols
Some API platforms require proxies or CORS
Getting through a local network firewall
Types of proxy server
Creating a proxy server with Google App Engine
Reverse proxy server
Reverse proxy server with Apache VirtualHost and .htaccess
Reverse proxy server in node.js
Summary
3. Usability and Security
CORS usability
Browser support for CORS
Detecting AJAX support in the browser
Using preflight for non-simple CORS requests
The HTTP request headers
HTTP response headers
Enhancing security in CORS
Limiting access when using the Access-Control-Allow-Origin, * wildcard
Trusting the HTTP_ORIGIN header is not recommended
Requests with credentials
CORS security cheat sheet by OWASP
Summary
4. CORS in Popular Content Management Frameworks
Incoming CORS requests
SAAS or self-hosted?
CORS in WordPress
Limited support for CORS in SAAS WordPress.com
Unauthenticated GET requests to WordPress.com
Authenticated requests to WordPress.com
CORS in self-hosted WordPress
Adding the Access-Control-Allow-Origin header in a template
WordPress plugins for CORS
WP-CORS plugin for WordPress
Allow CORS XML-RPC plugin for WordPress
CORS in Drupal
Enabling CORS in Drupal with custom code
Using the drupal_add_http_header function
Adding CORS support with .htaccess
Adding the CORS headers with custom code
Drupal contributed modules for CORS
Drupal CORS module
Drupal CDN module
Drupal Amazon S3 CORS upload module
CORS in Drupal 8 core
CORS in Joomla!
setHeader in JApplication web
matware-libraries on GitHub
Allowing CORS in the .htaccess file
CORS in Adobe Experience Manager
The com.adobe.cq.social.commons.cors package
Methods in the CORSAuthenticationFilter class
Methods In the CORSConfig class
Methods in the CORSAuthInfoPostProcessor class
Adding CORS headers in Scene 7 with a ruleset
Configuring the Sling Referrer Filter in the CRX Console
Summary
5. CORS in Windows
Incoming CORS requests
How to set the Access-Control-Allow-Origin header globally in Windows IIS Server
Setting CORS headers globally with web.config for IIS7 Server
Setting CORS headers globally with IIS manager for IIS 8.5 and higher
CORS in the ASP.NET Web API
Enabling CORS in the ASP.NET Web API
Installing the Web API Cross-Origin Support Package
Enabling the CorsMessageHandler
The EnableCorsAttribute class sets the CORS policies
Configuring the EnableCors class attributes in the ASP.NET Web API
Example: setting CORS policy for HTTP methods GET, PUT, and POST
Setting CORS policy with wildcards
Example: Setting CORS policy globally with wildcards
Example: Setting a global CORS policy with the WebApiConfig class
Disallowing CORS in classes or methods
Example: Using explicit values for HTTP methods
Example: Using the DisableCors attribute
Dynamic ASP.NET Web API CORS policies
Custom CORS policy attribute classes
Example: A custom CORS policy class
Custom policy provider factory
Registering the DynamicPolicyProviderFactory in WebApiConfig
Example: A custom CORS policy provider factory
Debugging the ASP.NET Web API Cross-Origin support framework
Server-side debugging
Client-side debugging
CORS in Windows Communication Foundation
CORS in Windows browsers – Internet Explorer and Edge
Summary
6. CORS in the Cloud
CORS requests in cloud APIs
CORS in Amazon Simple Storage Service (S3)
Scenarios for needing CORS in Amazon S3
How to enable CORS on an S3 bucket
Elements in an S3 CORSRule
AllowedOrigin element (required)
AllowedMethod element (required)
AllowedHeader element (optional, required for preflight)
MaxAgeSeconds element (optional)
ExposeHeader element (optional)
CORSConfiguration CORSRules with required elements
CORSConfiguration CORSRule with optional elements
How does Amazon S3 evaluate the CORS Configuration on a bucket?
Using CORS in Google Cloud Storage
Configuring CORS on a bucket in Google Cloud Storage
Using gsutil cors set in Google Cloud Storage
Using the XML API in Google Cloud Storage
Getting CORS configuration for a bucket with the XML API
Putting a CORSConfig on a bucket with the XML API
Troubleshooting CORS-related problems in Google Cloud Storage
Problems with headers
Problems with cached preflight requests
Problems with the resumable upload protocol
Authenticated access to Google APIs with CORS
Google API Keys
Adding the Google API client library for JavaScript
The Google API CORS request
Authenticated CORS requests to Google APIs with OAuth
Example using the Authorization request header
Example using the access_token in the URL parameter
CORS in IBM Cloudant
How to GET or PUT a CORS configuration in IBM Cloudant
How to GET a CORS Configuration
Set or Modify a CORS Configuration
Security considerations when CORS in IBM Cloudant
CORS in Windows Azure Storage
CORS usage scenarios for Windows Azure Storage
CORS for Windows Azure Blobs (file uploads)
CORS for Windows Azure Table
Preflight requests in Windows Azure
Code examples for CORS in Windows Azure
Static CORS rules in Windows Azure
Dynamically configuring CORS in Windows Azure
Enabling CORS on a Windows Azure Storage account for the blob (file) service
JavaScript code for uploading an image to a Windows Azure Storage Blob service with CORS in ASP.NET
CORS on a Windows Azure Storage account for the table service
CORS in Box API
CORS in the Dropbox API
Summary
References
7. CORS in Node.js
JavaScript frameworks are very popular
Introduction to Node.js
JavaScript frameworks that work with Node.js
Express.js is a Node.js server framework
AngularJS extends static HTML with dynamic views
Connect.js provides middleware for Node.js requests
Backbone.js often uses a Node.js server
ReactJS handles user interfaces
Socket.IO uses WebSockets for real-time, event-driven applications
Ember.js can use Node.js
CORS in Express.js
CORS npm for Express.js using Connect.js middleware
Configuration options for CORS npm
Code examples for CORS npm
Enable CORS globally for all origins and all routes
Allowing CORS for dynamic origins for a specific route
Enabling CORS preflight
Configuring CORS asynchronously
CORS in AngularJS
Enabling CORS in AngularJS
Making a CORS request in AngularJS
CORS in Backbone.js
Using Backbone.CrossDomain to modify Backbone.sync
How to proxy Backbone.sync for cross-domain requests
jQuery Ajax needs to use the XHR Header
Ember.js also relies on CORS-enabled jQuery AJAX
Socket.IO manages origins for security
Node.js and JavaScript frameworks are evolving rapidly
Summary
References
8. CORS Best Practices
Enabling API to public CORS requests
Limiting API to allow CORS requests to a whitelisted set of origins
Protecting against cross-site request forgery (CSRF)
Minimizing preflight requests
Summary
Index
CORS Essentials
CORS Essentials
Copyright © 2017 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: May 2017
Production reference: 1220517
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78439-377-9
www.packtpub.com
Credits
Authors
Rajesh Gunasundaram
Randall Goya
Commissioning Editor
Wilson D'souza
Acquisition Editor
Tushar Gupta
Content Development Editor
Aishwarya Pandere
Technical Editor
Dharmendra Yadav
Copy Editor
Manisha Sinha
Project Coordinator
Nidhi Joshi
Proofreader
Safis Editing
Indexer
Mariammal Chettiyar
Graphics
Tania Dutta
Production Coordinator
Shraddha Falebhai
Cover Work
Shraddha Falebhai
About the Authors
Rajesh Gunasundaram is a software architect, technical writer, and blogger. He has over 15 years of experience in the IT industry, with more than 10 years using Microsoft .NET, 2 years of BizTalk Server, and a year of iOS application development.
Rajesh is a founder and editor of technical blogs and , where you can find many of his technical writings on .NET and iOS.
Rajesh is also the founder and developer of a web product, a platform that analyses YouTube videos and channels.
Rajesh has also written a book ASP.NET Web API Security Essentials, for Packt Publishing.
Rajesh holds a masters degree in Computer Application and began his career as a software engineer in 2002. He worked on client premises located in various countries, such