CORS: Cross-Origin Resource Sharing relaxes the browser's same-origin policy in a controlled way, using response headers to declare which origins may read responses from a server.
2 / 5
When does the browser send a preflight OPTIONS request?
Preflight: before a non-simple cross-origin request, the browser sends an OPTIONS request asking if the actual request is permitted. The server must respond with appropriate Access-Control-Allow-* headers.
3 / 5
Which response header specifies which origins are permitted?
Access-Control-Allow-Origin: names the allowed origin (or * for any). The browser blocks the page from reading the response if the requesting origin is not permitted by this header.
4 / 5
What is required to send cookies/credentials on a cross-origin request?
Credentials: for credentialed requests the server must send Access-Control-Allow-Credentials: true and echo the exact origin - the wildcard * is forbidden with credentials for security reasons.
5 / 5
A common misconception is that CORS protects the server. What does it actually do?
CORS is browser-enforced: it does not stop a request from reaching the server (non-browser clients ignore it). It prevents malicious sites from reading responses in a victim's browser; server-side authorization is still required.