Relaxing the same origin security policy using CORS
Modern web browsers support multiple tabs so users can visit multiple websites at the same time efficiently. If code executing in one tab could access resources in another tab, then that could be a vector of attack.
All web browsers implement a security feature called the same origin policy. This means that only requests that come from the same origin are allowed. For example, if a block of JavaScript is served from the same origin that hosts a web service or served an <iframe>, then that JavaScript can call the service and access the data in the <iframe>. If a request is made from a different origin, then the request fails. But what counts as the "same origin?"
An origin is defined by:
- Scheme aka protocol, for example,
httporhttps. - Port, for example,
801or5081. The default port forhttpis80and forhttpsis443. - Host/domain/subdomain, for example,
www.example.com,www.example.net,example.com.
If the origin...
