CORS Essentials
By Randall Goya and Gunasundaram Rajesh
()
About this ebook
- A step-by-step guide but at a high level/fast pace. Not all steps are covered as a basic knowledge is assumed
- Provides a basic overview of the concepts but the focus is on providing the practical skills required to develop applications
- Focuses on providing practical examples
Web developers have been limited by the Same Origin Policy and often wish they could spread their application across different domains. You know JavaScript and AJAX, and have run up against the Same Domain Policy, which is limiting your applications.
Related to CORS Essentials
Related ebooks
CORS in Action: Creating and consuming cross-origin APIs Rating: 0 out of 5 stars0 ratingsNode.js Design Patterns - Second Edition Rating: 4 out of 5 stars4/5Node.js Web Development - Third Edition Rating: 2 out of 5 stars2/5WebRTC Integrator's Guide Rating: 5 out of 5 stars5/5Web Application Development with MEAN Rating: 0 out of 5 stars0 ratingsSpring MVC: Designing Real-World Web Applications Rating: 0 out of 5 stars0 ratingsNode.js Design Patterns Rating: 4 out of 5 stars4/5Mastering JavaScript Single Page Application Development Rating: 0 out of 5 stars0 ratingsRESTful Java Web Services - Second Edition Rating: 0 out of 5 stars0 ratingsTypeScript: Modern JavaScript Development Rating: 0 out of 5 stars0 ratingsSonar Code Quality Testing Essentials Rating: 0 out of 5 stars0 ratingsMastering React Test-Driven Development: Build rock-solid, well-tested web apps with React, Redux and GraphQL Rating: 0 out of 5 stars0 ratingsRedux in Action Rating: 0 out of 5 stars0 ratingsTest-Driven JavaScript Development Rating: 0 out of 5 stars0 ratingsExpress in Action: Writing, building, and testing Node.js applications Rating: 4 out of 5 stars4/5Isomorphic Web Applications: Universal Development with React Rating: 0 out of 5 stars0 ratingsBuilding Scalable Apps with Redis and Node.js Rating: 0 out of 5 stars0 ratingsASP.NET Core 3 and React: Hands-On full stack web development using ASP.NET Core, React, and TypeScript 3 Rating: 0 out of 5 stars0 ratingsGetting MEAN with Mongo, Express, Angular, and Node Rating: 5 out of 5 stars5/5React Hooks in Action: With Suspense and Concurrent Mode Rating: 5 out of 5 stars5/5Node.js in Practice Rating: 0 out of 5 stars0 ratingsReact Design Patterns and Best Practices Rating: 0 out of 5 stars0 ratingsLearning RabbitMQ with C#: A magical tool for the IT world Rating: 0 out of 5 stars0 ratingsReact Components Rating: 0 out of 5 stars0 ratingsLearning Vue.js 2 Rating: 0 out of 5 stars0 ratingsNode.js By Example Rating: 2 out of 5 stars2/5Hands-on React Native Rating: 1 out of 5 stars1/5Deploying Node.js Rating: 5 out of 5 stars5/5Getting Started with React Rating: 0 out of 5 stars0 ratings
Internet & Web For You
The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5Beginner's Guide To Starting An Etsy Print-On-Demand Shop Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 4 out of 5 stars4/5More Porn - Faster!: 50 Tips & Tools for Faster and More Efficient Porn Browsing Rating: 3 out of 5 stars3/5Coding For Dummies Rating: 5 out of 5 stars5/5The Logo Brainstorm Book: A Comprehensive Guide for Exploring Design Directions Rating: 4 out of 5 stars4/5The Designer's Web Handbook: What You Need to Know to Create for the Web Rating: 0 out of 5 stars0 ratingsThe Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5The $1,000,000 Web Designer Guide: A Practical Guide for Wealth and Freedom as an Online Freelancer Rating: 5 out of 5 stars5/5The Mega Box: The Ultimate Guide to the Best Free Resources on the Internet Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Six Figure Blogging In 3 Months Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5SEO For Dummies Rating: 4 out of 5 stars4/5Wordpress for Beginners: The Easy Step-by-Step Guide to Creating a Website with WordPress Rating: 5 out of 5 stars5/5C++ Learn in 24 Hours Rating: 0 out of 5 stars0 ratingsTor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5From Nothing Rating: 5 out of 5 stars5/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsStop Asking Questions: How to Lead High-Impact Interviews and Learn Anything from Anyone Rating: 5 out of 5 stars5/5Get Rich or Lie Trying: Ambition and Deceit in the New Influencer Economy Rating: 0 out of 5 stars0 ratingsSix Figure Blogging Blueprint Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5How To Start A Podcast Rating: 4 out of 5 stars4/5
Reviews for CORS Essentials
0 ratings0 reviews
Book preview
CORS Essentials - Randall Goya
Table of Contents
CORS Essentials
Credits
About the Authors
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Customer Feedback
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Why You Need CORS
The same-origin policy
Considering the origin of entities
Internet Explorer exception policy
Commonly allowed cross-origin resource sharing
DOM elements allowed for cross-origin sharing
Allowing cross-origin sharing in WebSockets
Limited cross-origin JavaScript API access
Permissions required by JavaScript
JavaScript data storage access is strictly limited by origin
How CORS works – the header and the request
The CORS header
Example 1 – CORS request with JavaScript
Passing a request to a utility function
Example 2: the CORS transaction to retrieve the title tag
Distributing DOM elements to multiple domains
Putting it all together
Securing when all domains are whitelisted
Methods to add security when a CORS header whitelists all domains
Simple CORS request methods
CORS with Preflight
Triggering a preflight by setting a custom header
The preflight request
The preflight response
CORS via jQuery
Known issues with CORS preflight
Preflight in Firefox
Preflight in Chrome
Preflight in Internet Explorer
Non-simple CORS request methods and headers require preflight
Checking for the withCredentials property
Troubleshooting and debugging CORS
Browser support for crossorigin attribute in the
CORS with jQuery
jQuery CORS AJAX plugin
Enabling CORS globally with server configuration
Alternatives to CORS
Example of JSON-P
Using JSON-P – limitations and risks
Proposed JSON-P validation standard
WebSocket
WebSocket handshakes
WebSocket and cross-domain resource sharing
Risks of using WebSocket for cross-domain resource sharing
The window.postMessage method
postMessage risks and security measures
Summary
2. Creating Proxies for CORS
Proxies and the World Wide Web
What is a proxy server?
Reasons to use a proxy
Avoid mixing up protocols
Some API platforms require proxies or CORS
Getting through a local network firewall
Types of proxy server
Creating a proxy server with Google App Engine
Reverse proxy server
Reverse proxy server with Apache VirtualHost and .htaccess
Reverse proxy server in node.js
Summary
3. Usability and Security
CORS usability
Browser support for CORS
Detecting AJAX support in the browser
Using preflight for non-simple CORS requests
The HTTP request headers
HTTP response headers
Enhancing security in CORS
Limiting access when using the Access-Control-Allow-Origin, * wildcard
Trusting the HTTP_ORIGIN header is not recommended
Requests with credentials
CORS security cheat sheet by OWASP
Summary
4. CORS in Popular Content Management Frameworks
Incoming CORS requests
SAAS or self-hosted?
CORS in WordPress
Limited support for CORS in SAAS WordPress.com
Unauthenticated GET requests to WordPress.com
Authenticated requests to WordPress.com
CORS in self-hosted WordPress
Adding the Access-Control-Allow-Origin header in a template
WordPress plugins for CORS
WP-CORS plugin for WordPress
Allow CORS XML-RPC plugin for WordPress
CORS in Drupal
Enabling CORS in Drupal with custom code
Using the drupal_add_http_header function
Adding CORS support with .htaccess
Adding the CORS headers with custom code
Drupal contributed modules for CORS
Drupal CORS module
Drupal CDN module
Drupal Amazon S3 CORS upload module
CORS in Drupal 8 core
CORS in Joomla!
setHeader in JApplication web
matware-libraries on GitHub
Allowing CORS in the .htaccess file
CORS in Adobe Experience Manager
The com.adobe.cq.social.commons.cors package
Methods in the CORSAuthenticationFilter class
Methods In the CORSConfig class
Methods in the CORSAuthInfoPostProcessor class
Adding CORS headers in Scene 7 with a ruleset
Configuring the Sling Referrer Filter in the CRX Console
Summary
5. CORS in Windows
Incoming CORS requests
How to set the Access-Control-Allow-Origin header globally in Windows IIS Server
Setting CORS headers globally with web.config for IIS7 Server
Setting CORS headers globally with IIS manager for IIS 8.5 and higher
CORS in the ASP.NET Web API
Enabling CORS in the ASP.NET Web API
Installing the Web API Cross-Origin Support Package
Enabling the CorsMessageHandler
The EnableCorsAttribute class sets the CORS policies
Configuring the EnableCors class attributes in the ASP.NET Web API
Example: setting CORS policy for HTTP methods GET, PUT, and POST
Setting CORS policy with wildcards
Example: Setting CORS policy globally with wildcards
Example: Setting a global CORS policy with the WebApiConfig class
Disallowing CORS in classes or methods
Example: Using explicit values for HTTP methods
Example: Using the DisableCors attribute
Dynamic ASP.NET Web API CORS policies
Custom CORS policy attribute classes
Example: A custom CORS policy class
Custom policy provider factory
Registering the DynamicPolicyProviderFactory in WebApiConfig
Example: A custom CORS policy provider factory
Debugging the ASP.NET Web API Cross-Origin support framework
Server-side debugging
Client-side debugging
CORS in Windows Communication Foundation
CORS in Windows browsers – Internet Explorer and Edge
Summary
6. CORS in the Cloud
CORS requests in cloud APIs
CORS in Amazon Simple Storage Service (S3)
Scenarios for needing CORS in Amazon S3
How to enable CORS on an S3 bucket
Elements in an S3 CORSRule
AllowedOrigin element (required)
AllowedMethod element (required)
AllowedHeader element (optional, required for preflight)
MaxAgeSeconds element (optional)
ExposeHeader element (optional)
CORSConfiguration CORSRules with required elements
CORSConfiguration CORSRule with optional elements
How does Amazon S3 evaluate the CORS Configuration on a bucket?
Using CORS in Google Cloud Storage
Configuring CORS on a bucket in Google Cloud Storage
Using gsutil cors set in Google Cloud Storage
Using the XML API in Google Cloud Storage
Getting CORS configuration for a bucket with the XML API
Putting a CORSConfig on a bucket with the XML API
Troubleshooting CORS-related problems in Google Cloud Storage
Problems with headers
Problems with cached preflight requests
Problems with the resumable upload protocol
Authenticated access to Google APIs with CORS
Google API Keys
Adding the Google API client library for JavaScript
The Google API CORS request
Authenticated CORS requests to Google APIs with OAuth
Example using the Authorization request header
Example using the access_token in the URL parameter
CORS in IBM Cloudant
How to GET or PUT a CORS configuration in IBM Cloudant
How to GET a CORS Configuration
Set or Modify a CORS Configuration
Security considerations when CORS in IBM Cloudant
CORS in Windows Azure Storage
CORS usage scenarios for Windows Azure Storage
CORS for Windows Azure Blobs (file uploads)
CORS for Windows Azure Table
Preflight requests in Windows Azure
Code examples for CORS in Windows Azure
Static CORS rules in Windows Azure
Dynamically configuring CORS in Windows Azure
Enabling CORS on a Windows Azure Storage account for the blob (file) service
JavaScript code for uploading an image to a Windows Azure Storage Blob service with CORS in ASP.NET
CORS on a Windows Azure Storage account for the table service
CORS in Box API
CORS in the Dropbox API
Summary
References
7. CORS in Node.js
JavaScript frameworks are very popular
Introduction to Node.js
JavaScript frameworks that work with Node.js
Express.js is a Node.js server framework
AngularJS extends static HTML with dynamic views
Connect.js provides middleware for Node.js requests
Backbone.js often uses a Node.js server
ReactJS handles user interfaces
Socket.IO uses WebSockets for real-time, event-driven applications
Ember.js can use Node.js
CORS in Express.js
CORS npm for Express.js using Connect.js middleware
Configuration options for CORS npm
Code examples for CORS npm
Enable CORS globally for all origins and all routes
Allowing CORS for dynamic origins for a specific route
Enabling CORS preflight
Configuring CORS asynchronously
CORS in AngularJS
Enabling CORS in AngularJS
Making a CORS request in AngularJS
CORS in Backbone.js
Using Backbone.CrossDomain to modify Backbone.sync
How to proxy Backbone.sync for cross-domain requests
jQuery Ajax needs to use the XHR Header
Ember.js also relies on CORS-enabled jQuery AJAX
Socket.IO manages origins for security
Node.js and JavaScript frameworks are evolving rapidly
Summary
References
8. CORS Best Practices
Enabling API to public CORS requests
Limiting API to allow CORS requests to a whitelisted set of origins
Protecting against cross-site request forgery (CSRF)
Minimizing preflight requests
Summary
Index
CORS Essentials
CORS Essentials
Copyright © 2017 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: May 2017
Production reference: 1220517
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78439-377-9
www.packtpub.com
Credits
Authors
Rajesh Gunasundaram
Randall Goya
Commissioning Editor
Wilson D'souza
Acquisition Editor
Tushar Gupta
Content Development Editor
Aishwarya Pandere
Technical Editor
Dharmendra Yadav
Copy Editor
Manisha Sinha
Project Coordinator
Nidhi Joshi
Proofreader
Safis Editing
Indexer
Mariammal Chettiyar
Graphics
Tania Dutta
Production Coordinator
Shraddha Falebhai
Cover Work
Shraddha Falebhai
About the Authors
Rajesh Gunasundaram is a software architect, technical writer, and blogger. He has over 15 years of experience in the IT industry, with more than 10 years using Microsoft .NET, 2 years of BizTalk Server, and a year of iOS application development.
Rajesh is a founder and editor of technical blogs and , where you can find many of his technical writings on .NET and iOS.
Rajesh is also the founder and developer of a web product, a platform that analyses YouTube videos and channels.
Rajesh has also written a book ASP.NET Web API Security Essentials, for Packt Publishing.
Rajesh holds a masters degree in Computer Application and began his career as a software engineer in 2002. He worked on client premises located in various countries, such