As was recently and nerdily mentioned on Connection Café, I’ve been working with the world-class engineering team at Convio to implement support for Cross-Origin Resource Sharing (CORS) in the new release of our API. Despite having been around since Firefox 3.5 (and, like, Chrome 2.0), CORS has received little attention from the web development community at large. In my opinion, it is the most revolutionary and exciting change to the Internet in a long while, and deserves much more fanfare than things like, say, box-shadow.
So what is this “CORS” thing anyway?
At a super high level, CORS changes one of the fundamental (and annoying) rules of the web, the same origin policy, allowing domaina.com to share information with domainb.com. The same origin policy was put in place to prevent would-be hackers from reading personal information about you from the websites you frequent. Were it not for the same origin policy, I could easily embed some code on the page you’re viewing right now to steal your deets from, say, Amazon.com. While it’s obviously a really good thing that I can’t do that, this long-standing rule-with-no-exceptions is unbelievably frustrating for those of us who build web applications. It’s 2012; a lot has changed since the same origin policy was introduced in Netscape 2.0. There are plenty of completely legit reasons to need to share information across multiple domains. Thankfully, CORS now allows for doing exactly that. To use my previous example, if Amazon.com wants me to be able to read some (not-so-personal) information from its website, all it has to do is simply return a response header, Access-Control-Allow-Origin, indicating that my domain is allowed in.
Try it out!
If you examine the HTTP request to that little Kjonaas API I created, you’ll see the following header included in the response:
This is CORS in its most basic form — because I don’t need to worry about who can access the information this API returns, I’ve indicated that any domain that wants to is allowed to retrieve the XML. If I did want to restrict access to the API to, say, my wife’s website, I’d just need to return a more explicit header:
If it’s not clear to you yet, I’m in love with CORS.
But it’s not all rainbows and unicorns, not yet at least.
if statement. As is so often the case, Microsoft decided to go with its own implementation of CORS rather than the standard adopted by its peers. To take advantage of CORS in IE, web developers must use the proprietary
XDomainRequest object. Fortunately, IE10 preview indicates that Microsoft may have seen the error of its ways, and will support the standard
XMLHttpRequest going forward.
XMLHttpRequest, Microsoft will also ditch Same Scheme. It’s hard to tell if that is the case or not, given that IE10 preview is only available for Windows 8.
Microsoft issues aside, start using CORS!
If you’re a developer, I strongly encourage you to evangelize for CORS at your company every opportunity you get. It’s surprisingly simple to implement, especially given how long its taken the Internet to come around to the idea that cross-domain resource sharing is ubiquitous, and not just for people with .ro email addresses hawking cheap Viagra.