CORS Essentials

By Randall Goya and Gunasundaram Rajesh

About This Book

• A step-by-step guide but at a high level/fast pace. Not all steps are covered as a basic knowledge is assumed
• Provides a basic overview of the concepts but the focus is on providing the practical skills required to develop applications
• Focuses on providing practical examples

Who This Book Is For

Web developers have been limited by the Same Origin Policy and often wish they could spread their application across different domains. You know JavaScript and AJAX, and have run up against the Same Domain Policy, which is limiting your applications.

• Language: English
• Publisher: Packt Publishing
• Release date: May 30, 2017
• ISBN: 9781784391119

Book preview

Table of Contents

CORS Essentials

Credits

About the Authors

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Why You Need CORS

The same-origin policy

Considering the origin of entities

Internet Explorer exception policy

Commonly allowed cross-origin resource sharing

DOM elements allowed for cross-origin sharing

Allowing cross-origin sharing in WebSockets

Limited cross-origin JavaScript API access

Permissions required by JavaScript

JavaScript data storage access is strictly limited by origin

How CORS works – the header and the request

The CORS header

Example 1 – CORS request with JavaScript

Passing a request to a utility function

Example 2: the CORS transaction to retrieve the title tag

Distributing DOM elements to multiple domains

Putting it all together

Securing when all domains are whitelisted

Methods to add security when a CORS header whitelists all domains

Simple CORS request methods

CORS with Preflight

Triggering a preflight by setting a custom header

The preflight request

The preflight response

CORS via jQuery

Known issues with CORS preflight

Preflight in Firefox

Preflight in Chrome

Preflight in Internet Explorer

Non-simple CORS request methods and headers require preflight

Checking for the withCredentials property

Troubleshooting and debugging CORS

Browser support for crossorigin attribute in the

CORS with jQuery

jQuery CORS AJAX plugin

Enabling CORS globally with server configuration

Alternatives to CORS

Example of JSON-P

Using JSON-P – limitations and risks

Proposed JSON-P validation standard

WebSocket

WebSocket handshakes

WebSocket and cross-domain resource sharing

Risks of using WebSocket for cross-domain resource sharing

The window.postMessage method

postMessage risks and security measures

Summary

2. Creating Proxies for CORS

Proxies and the World Wide Web

What is a proxy server?

Reasons to use a proxy

Avoid mixing up protocols

Some API platforms require proxies or CORS

Getting through a local network firewall

Types of proxy server

Creating a proxy server with Google App Engine

Reverse proxy server

Reverse proxy server with Apache VirtualHost and .htaccess

Reverse proxy server in node.js

Summary

3. Usability and Security

CORS usability

Browser support for CORS

Detecting AJAX support in the browser

Using preflight for non-simple CORS requests

The HTTP request headers

HTTP response headers

Enhancing security in CORS

Limiting access when using the Access-Control-Allow-Origin, * wildcard

Trusting the HTTP_ORIGIN header is not recommended

Requests with credentials

CORS security cheat sheet by OWASP

Summary

4. CORS in Popular Content Management Frameworks

Incoming CORS requests

SAAS or self-hosted?

CORS in WordPress

Limited support for CORS in SAAS WordPress.com

Unauthenticated GET requests to WordPress.com

Authenticated requests to WordPress.com

CORS in self-hosted WordPress

Adding the Access-Control-Allow-Origin header in a template

WordPress plugins for CORS

WP-CORS plugin for WordPress

Allow CORS XML-RPC plugin for WordPress

CORS in Drupal

Enabling CORS in Drupal with custom code

Using the drupal_add_http_header function

Adding CORS support with .htaccess

Adding the CORS headers with custom code

Drupal contributed modules for CORS

Drupal CORS module

Drupal CDN module

Drupal Amazon S3 CORS upload module

CORS in Drupal 8 core

CORS in Joomla!

setHeader in JApplication web

matware-libraries on GitHub

Allowing CORS in the .htaccess file

CORS in Adobe Experience Manager

The com.adobe.cq.social.commons.cors package

Methods in the CORSAuthenticationFilter class

Methods In the CORSConfig class

Methods in the CORSAuthInfoPostProcessor class

Adding CORS headers in Scene 7 with a ruleset

Configuring the Sling Referrer Filter in the CRX Console

Summary

5. CORS in Windows

Incoming CORS requests

How to set the Access-Control-Allow-Origin header globally in Windows IIS Server

Setting CORS headers globally with web.config for IIS7 Server

Setting CORS headers globally with IIS manager for IIS 8.5 and higher

CORS in the ASP.NET Web API

Enabling CORS in the ASP.NET Web API

Installing the Web API Cross-Origin Support Package

Enabling the CorsMessageHandler

The EnableCorsAttribute class sets the CORS policies

Configuring the EnableCors class attributes in the ASP.NET Web API

Example: setting CORS policy for HTTP methods GET, PUT, and POST

Setting CORS policy with wildcards

Example: Setting CORS policy globally with wildcards

Example: Setting a global CORS policy with the WebApiConfig class

Disallowing CORS in classes or methods

Example: Using explicit values for HTTP methods

Example: Using the DisableCors attribute

Dynamic ASP.NET Web API CORS policies

Custom CORS policy attribute classes

Example: A custom CORS policy class

Custom policy provider factory

Registering the DynamicPolicyProviderFactory in WebApiConfig

Example: A custom CORS policy provider factory

Debugging the ASP.NET Web API Cross-Origin support framework

Server-side debugging

Client-side debugging

CORS in Windows Communication Foundation

CORS in Windows browsers – Internet Explorer and Edge

Summary

6. CORS in the Cloud

CORS requests in cloud APIs

CORS in Amazon Simple Storage Service (S3)

Scenarios for needing CORS in Amazon S3

How to enable CORS on an S3 bucket

Elements in an S3 CORSRule

AllowedOrigin element (required)

AllowedMethod element (required)

AllowedHeader element (optional, required for preflight)

MaxAgeSeconds element (optional)

ExposeHeader element (optional)

CORSConfiguration CORSRules with required elements

CORSConfiguration CORSRule with optional elements

How does Amazon S3 evaluate the CORS Configuration on a bucket?

Using CORS in Google Cloud Storage

Configuring CORS on a bucket in Google Cloud Storage

Using gsutil cors set in Google Cloud Storage

Using the XML API in Google Cloud Storage

Getting CORS configuration for a bucket with the XML API

Putting a CORSConfig on a bucket with the XML API

Troubleshooting CORS-related problems in Google Cloud Storage

Problems with headers

Problems with cached preflight requests

Problems with the resumable upload protocol

Authenticated access to Google APIs with CORS

Google API Keys

Adding the Google API client library for JavaScript

The Google API CORS request

Authenticated CORS requests to Google APIs with OAuth

Example using the Authorization request header

Example using the access_token in the URL parameter

CORS in IBM Cloudant

How to GET or PUT a CORS configuration in IBM Cloudant

How to GET a CORS Configuration

Set or Modify a CORS Configuration

Security considerations when CORS in IBM Cloudant

CORS in Windows Azure Storage

CORS usage scenarios for Windows Azure Storage

CORS for Windows Azure Blobs (file uploads)

CORS for Windows Azure Table

Preflight requests in Windows Azure

Code examples for CORS in Windows Azure

Static CORS rules in Windows Azure

Dynamically configuring CORS in Windows Azure

Enabling CORS on a Windows Azure Storage account for the blob (file) service

JavaScript code for uploading an image to a Windows Azure Storage Blob service with CORS in ASP.NET

CORS on a Windows Azure Storage account for the table service

CORS in Box API

CORS in the Dropbox API

Summary

References

7. CORS in Node.js

JavaScript frameworks are very popular

Introduction to Node.js

JavaScript frameworks that work with Node.js

Express.js is a Node.js server framework

AngularJS extends static HTML with dynamic views

Connect.js provides middleware for Node.js requests

Backbone.js often uses a Node.js server

ReactJS handles user interfaces

Socket.IO uses WebSockets for real-time, event-driven applications

Ember.js can use Node.js

CORS in Express.js

CORS npm for Express.js using Connect.js middleware

Configuration options for CORS npm

Code examples for CORS npm

Enable CORS globally for all origins and all routes

Allowing CORS for dynamic origins for a specific route

Enabling CORS preflight

Configuring CORS asynchronously

CORS in AngularJS

Enabling CORS in AngularJS

Making a CORS request in AngularJS

CORS in Backbone.js

Using Backbone.CrossDomain to modify Backbone.sync

How to proxy Backbone.sync for cross-domain requests

jQuery Ajax needs to use the XHR Header

Ember.js also relies on CORS-enabled jQuery AJAX

Socket.IO manages origins for security

Node.js and JavaScript frameworks are evolving rapidly

Summary

References

8. CORS Best Practices

Enabling API to public CORS requests

Limiting API to allow CORS requests to a whitelisted set of origins

Protecting against cross-site request forgery (CSRF)

Minimizing preflight requests

Summary

Index

CORS Essentials

---

CORS Essentials

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: May 2017

Production reference: 1220517

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78439-377-9

www.packtpub.com

Credits

Authors

Rajesh Gunasundaram

Randall Goya

Commissioning Editor

Wilson D'souza

Acquisition Editor

Tushar Gupta

Content Development Editor

Aishwarya Pandere

Technical Editor

Dharmendra Yadav

Copy Editor

Manisha Sinha

Project Coordinator

Nidhi Joshi

Proofreader

Safis Editing

Indexer

Mariammal Chettiyar

Graphics

Tania Dutta

Production Coordinator

Shraddha Falebhai

Cover Work

Shraddha Falebhai

About the Authors

Rajesh Gunasundaram is a software architect, technical writer, and blogger. He has over 15 years of experience in the IT industry, with more than 10 years using Microsoft .NET, 2 years of BizTalk Server, and a year of iOS application development.

Rajesh is a founder and editor of technical blogs and , where you can find many of his technical writings on .NET and iOS.

Rajesh is also the founder and developer of a web product, a platform that analyses YouTube videos and channels.

Rajesh has also written a book ASP.NET Web API Security Essentials, for Packt Publishing.

Rajesh holds a masters degree in Computer Application and began his career as a software engineer in 2002. He worked on client premises located in various countries, such