Fact-checked by Grok 2 weeks ago

Cross-origin resource sharing

Cross-Origin Resource Sharing (CORS) is a mechanism that uses HTTP headers to enable web browsers to make controlled cross-origin requests, allowing servers to specify which external origins can access their resources while relaxing the same-origin policy for legitimate use cases such as APIs and embedded content. Developed as a standard to support secure web mashups and third-party integrations, CORS addresses the limitations of the same-origin policy by providing a standardized way for servers to grant or deny access based on origin, method, and headers. The specification was first published as a W3C Working Draft in May 2006, renamed in 2009, and became a W3C Recommendation in 2014, with its implementation now integrated into the Fetch Living Standard maintained by the WHATWG. CORS operates through a combination of request and response headers exchanged between the client (browser) and server. When a web page attempts to load a resource from a different origin—defined as a unique combination of scheme, host, and port—the browser includes an Origin header in the request to indicate the requesting site's origin. The server then responds with headers like Access-Control-Allow-Origin to explicitly permit the origin, or omits them to enforce the same-origin restriction, preventing unauthorized access. This process ensures that cross-origin reads are only allowed if the server opts in, mitigating risks such as data leakage in cross-site scripting attacks. Requests under CORS are classified as or preflight based on their characteristics. Simple requests, such as standard GET or operations with safe-listed headers (e.g., Accept, Content-Type limited to certain values), are sent directly without prior negotiation, but still require server approval via CORS headers in the response. Preflight requests, triggered for potentially unsafe operations like non-standard methods (e.g., PUT, DELETE) or custom headers, involve an initial OPTIONS request where the browser sends Access-Control-Request-Method and Access-Control-Request-Headers to query permissions. The server responds with Access-Control-Allow-Methods and Access-Control-Allow-Headers to approve, and the actual request proceeds only if authorized; otherwise, the browser blocks the response. Key security features of CORS include support for credentials (e.g., via Access-Control-Allow-Credentials) only when explicitly allowed, and the Access-Control-Expose-Headers header to limit which response headers the client can read. Widely supported in all major browsers since 2015, CORS is essential for modern , powering services like and content delivery networks while upholding browser-enforced security boundaries.

Fundamentals

Same-Origin Policy

The same-origin policy (SOP) is a fundamental security mechanism implemented in web browsers that restricts documents or scripts loaded from one origin from interacting with resources from a different origin. An origin is defined as the tuple of scheme (protocol, such as HTTP or HTTPS), host (domain name), and port number; for instance, http://example.com:80 and https://example.com:80 are considered different origins due to the protocol mismatch. Introduced in 2.0 in 1995 alongside 1.0, the was developed to isolate potentially malicious scripts and prevent them from accessing sensitive data, such as document structures or user session information, across different domains. This policy addressed early web security challenges as client-side scripting emerged, ensuring that content from untrusted sources could not interfere with or exfiltrate data from other sites. Under the SOP, several common actions are blocked when originating from a different domain. For example, JavaScript cannot make cross-origin requests using the XMLHttpRequest object or the Fetch API to read response data from another origin. Similarly, embedding content in an <iframe> from a different origin prevents the parent page's scripts from accessing the iframe's Window or Document objects, such as reading its DOM elements. Script execution is also restricted; a script cannot manipulate or inspect the properties of a cross-origin frame, like its location or form data, to avoid unauthorized data access. Certain resource types are exempt from full SOP restrictions to support web functionality, though with limitations on access. Images loaded via the <img> tag, scripts via the <script> tag, and stylesheets via the <link> or @import directives can be fetched cross-origin and embedded, but JavaScript cannot read their raw content or pixel data (for images). For instance, a cross-origin script executes in the context of the loading page but cannot access the DOM or other resources of its original origin. These exceptions enable practical web features like third-party ads or libraries while maintaining security boundaries. The provides a strict model, which mechanisms like Cross-Origin Resource Sharing (CORS) can selectively relax for authorized interactions.

Purpose of CORS

The (), a foundational , restricts pages from making requests to a different , , or than the one serving the page, primarily to prevent malicious scripts from accessing sensitive data across origins. This policy effectively blocks legitimate use cases, such as applications hosted on one making API calls to backend services on another , which is a standard practice in distributed architectures to separate concerns and improve . Similarly, SOP limits loading static resources like stylesheets, images, or fonts from content delivery networks (CDNs) on external domains, complicating efficient content distribution and requiring workarounds that can introduce risks or performance overhead. To mitigate these restrictions while preserving core security, Cross-Origin Resource Sharing (CORS) provides a standardized defined in the W3C recommendation. CORS enables servers to explicitly indicate, through HTTP response headers, which external origins are authorized to access their resources, allowing controlled relaxation of SOP without exposing data indiscriminately. By requiring server-side opt-in, CORS ensures that cross-origin access remains secure, as browsers enforce the policy only when the server consents via specific headers like Access-Control-Allow-Origin. The primary benefits of CORS lie in facilitating modern practices, such as secure asynchronous and XML () requests for dynamic content loading, embedding web fonts from third-party providers to enhance without tainting the page's , and enabling cross-origin access to elements for manipulation in applications like photo editors. These capabilities support richer user experiences, such as real-time data fetching from or integrating from diverse sources, all while upholding SOP's protections against unauthorized . CORS specifically governs cross-origin interactions in APIs like and the Fetch API, which are used for programmatic HTTP requests, as well as features involving Web Fonts, textures, and canvas drawImage() operations. In contrast, CORS does not restrict embedding via <script> or <img> tags, which permit cross-origin loading but impose looser rules—scripts execute freely if allowed by the server, while images can be displayed but their pixel data is often blocked from JavaScript access to prevent data leaks.

Mechanism

Simple Requests

Simple cross-origin requests in Cross-Origin Resource Sharing (CORS) are HTTP requests that meet specific criteria allowing them to be issued directly without a preliminary preflight check, facilitating straightforward access to resources from different origins. These requests are defined as those using CORS-safelisted methods and headers, which align with common, low-risk operations in web applications. The mechanism ensures that browsers can enforce the while permitting benign cross-origin interactions without additional overhead. A request qualifies as simple if it adheres to strict conditions on methods and headers to avoid potential risks that might necessitate preflight validation. The HTTP method must be one of GET, HEAD, or , as these are considered or idempotent operations that do not typically alter in unintended ways. Additionally, the request must not include any forbidden methods such as CONNECT, , or , nor headers that start with "Sec-" or other non-standard fields that could introduce vulnerabilities. For headers, only a limited set is permitted: accept, accept-language, content-language, content-type (restricted to application/x-www-form-urlencoded, multipart/form-data, or text/plain), dpr (a number between 1.0 and 256.0), downlink, save-data, viewport-width (a number between 1 and 10000), width (a number between 1 and 10000), and range (a single "bytes" range); all header values must have length not exceeding 128 bytes and contain no CORS-unsafe bytes. No custom or author-defined headers are allowed, ensuring the request remains innocuous and compatible with legacy user agents. The flow for a simple request begins when a attempts to access a cross-origin resource, prompting the () to include an Origin header in the request, specifying the requesting site's . The then sends this request directly to the target server without any prior OPTIONS preflight, as the criteria are met. Upon receiving the response, the server must include the Access-Control-Allow-Origin response header, typically echoing the value from the request's Origin header (or using a wildcard "*" for broader permissions, though this is restricted when credentials are involved). In response handling, the browser verifies the Access-Control-Allow-Origin header against the request's origin; if they match exactly or the wildcard applies appropriately, the response body and certain headers become accessible to the web application. If the server omits the header or provides an invalid value, the browser silently blocks access to the response, treating it as a network error without notifying the application, thereby upholding security without exposing details of the failure. This process allows simple requests to proceed efficiently for operations like loading images or submitting forms, while deferring more complex scenarios to preflight mechanisms.

Preflight Requests

Preflight requests serve as a preliminary safeguard in the Cross-Origin Resource Sharing (CORS) mechanism, allowing browsers to verify server permissions before executing potentially unsafe cross-origin operations. These requests are automatically initiated by the when certain conditions indicate a higher risk of unintended access, ensuring that servers explicitly authorize non-standard methods or headers. A preflight request is triggered for cross-origin requests that do not qualify as simple requests, specifically when the HTTP method is neither GET, HEAD, nor POST, or when the request includes headers outside the set of simple headers such as Cache-Control, Authorization, or others defined in the specification. Additionally, preflight is required if the Content-Type header is set to values like application/xml, application/json, or text/xml, which are not among the simple content types (application/x-www-form-urlencoded, multipart/form-data, or text/plain). Custom author request headers, such as Authorization or X-Requested-With, also necessitate a preflight to prevent unauthorized exposure of sensitive data. The preflight process begins with the browser sending an HTTP OPTIONS request to the target resource's URL, independent of the actual request method. This OPTIONS request includes three key headers: Origin (indicating the requesting site's origin), Access-Control-Request-Method (specifying the intended method, e.g., PUT or DELETE), and Access-Control-Request-Headers (listing any non-simple custom headers). The server must respond with a successful status (typically 200 OK or 204 No Content) and include CORS-specific response headers to approve the operation: Access-Control-Allow-Origin (matching or allowing the request's origin), Access-Control-Allow-Methods (listing permitted methods, e.g., GET, POST, PUT), and Access-Control-Allow-Headers (authorizing the requested headers). If the server approves, the browser proceeds to send the actual cross-origin request; otherwise, the process halts. To optimize performance and reduce unnecessary network overhead, preflight responses can be cached by the browser using the Access-Control-Max-Age response header, which specifies the duration in seconds. This value indicates how long the results of the preflight—such as allowed methods and headers—remain valid before a new preflight is required for subsequent identical requests from the same . Servers set this header to balance security with efficiency, though user agents may impose implementation-specific limits on the maximum age. In error cases, if the preflight request fails—due to a non-successful HTTP status code (e.g., 4xx or 5xx), missing required CORS headers, or mismatch in allowed origins, methods, or headers—the does not send the actual cross-origin request. Instead, it reports a network error to the web application, typically triggering the onerror event in or Fetch API contexts without exposing details of the failure to prevent information leakage. This silent blocking ensures that unauthorized requests cannot proceed, maintaining the integrity of the while allowing controlled cross-origin access.

HTTP Headers

Request Headers

In Cross-origin resource sharing (CORS), browsers automatically include specific HTTP request headers to facilitate secure cross-origin communication by informing the server about the request's origin and intended characteristics. These headers enable the server to evaluate and respond to the request appropriately, distinguishing between simple and preflight requests. The header is a fundamental CORS request header sent by the in all cross-origin requests, including both simple and preflight types. It specifies the origin (scheme, host, and port) from which the request originates, such as https://example.com, allowing the server to verify the requesting party's identity before granting access. This header is always included unless the request is same-origin or involves certain opaque types, and it replaces earlier mechanisms like the Origin header defined in the Web Origin Concept. For preflight requests, which use the OPTIONS method to probe server permissions before the actual cross-origin request, the browser includes the Access-Control-Request-Method header. This header declares the HTTP method (e.g., POST or PUT) that the subsequent actual request intends to use, enabling the server to pre-approve or deny it based on policy. It is only sent when the method is not one of the simple ones (GET, HEAD, or POST). Similarly, the Access-Control-Request-Headers header appears exclusively in preflight requests and lists the custom (author-requested) headers that the actual request will include, separated by commas (e.g., X-Custom-Header, X-Another-Header). Its purpose is to allow the server to assess and authorize these non-standard headers in advance, preventing unauthorized exposure of sensitive data. Simple headers like Accept or Content-Language are excluded from this list, as they do not require pre-approval. The Access-Control-Request-Private-Network header, introduced in the specification, is sent as true in preflight requests targeting addresses (e.g., or 192.168.x.x) from public origins. It alerts the server to the potential risk of cross-network , allowing explicit opt-in. As of November 2025, this is supported in major browsers including 98+ and 109+. In simple requests, particularly POST requests, the standard Content-Type header may be included to indicate the of the request body, but it is restricted to safe values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain to avoid triggering a preflight. Non-safe types, like application/[json](/page/JSON), necessitate a preflight request.

Response Headers

In Cross-Origin Resource Sharing (CORS), servers respond to cross-origin requests by including specific HTTP headers that authorize access, methods, and headers, thereby overriding the browser's default same-origin restrictions. These response headers are evaluated by the to determine if the response can be accessed by the requesting script, ensuring controlled sharing of resources across origins. For simple requests, the server may include relevant headers directly in the response; for preflight requests, these headers appear in the OPTIONS response to inform subsequent actual requests. The Access-Control-Allow-Origin header specifies the origins permitted to access the resource. Its value is either a single origin (e.g., https://[example.com](/page/Example.com)), which must exactly match the Origin header sent by the client, or the wildcard * to allow any origin. If the header is absent or the origin does not match, the browser blocks access to the response. The wildcard * provides broad permission but is restricted in certain scenarios for security reasons. The Access-Control-Allow-Methods header, used primarily in preflight responses, enumerates the HTTP methods (e.g., GET, [POST](/page/Post), PUT) that the server accepts for the actual request. It is a comma-separated list of method names, case-sensitive, and must include any non-simple methods requested via the preflight's Access-Control-Request-Method header. This header ensures that only approved methods can proceed cross-origin. Similarly, the Access-Control-Allow-Headers header in preflight responses indicates the custom request headers the server permits, mirroring the client's Access-Control-Request-Headers. Its value is a comma-separated list of header names (e.g., X-Custom-Header, Content-Type), excluding simple headers like Accept. If a requested header is not listed, the will reject the actual request. The Access-Control-Max-Age header defines the maximum time, in seconds, that the preflight response can be cached by the browser (e.g., 3600 for one hour). It accepts a non-negative integer, allowing reuse of preflight results to reduce unnecessary OPTIONS requests. Browsers clamp excessive values but honor the duration to optimize . The Access-Control-Allow-Credentials header, when set to true, signals that the response includes credentials such as or headers. It must be a literal true value and cannot be combined with the wildcard * in Access-Control-Allow-Origin; a specific is required to prevent unauthorized credential exposure. The Access-Control-Expose-Headers header, used in actual CORS responses (not preflight), specifies which non-simple response headers the client can access. Its value is a comma-separated list of header names (e.g., X-Total-Count, [Location](/page/Location)) or * to expose all. By default, only simple headers like Cache-Control are exposed; this header allows controlled exposure of custom ones to prevent information leakage. The Access-Control-Allow-Private-Network header, part of the Private Network Access extension, is set to true in preflight responses to permit requests from public origins to resources. It must be present for such requests to succeed, enhancing security by requiring explicit server approval for potentially risky cross-network access. As of November 2025, support is widespread in modern browsers. Wildcard usage in Access-Control-Allow-Origin as * grants access to any origin but is incompatible with Access-Control-Allow-Credentials: true, as this would risk leaking sensitive data like authentication tokens to untrusted sites. In such cases, servers must specify exact origins to maintain security boundaries. These headers collectively enforce a permission model that balances with protection against and .

Examples

Simple Request Example

Consider a scenario where a hosted at https://www.example.com uses the Fetch API to retrieve data from an API endpoint at https://api.example.com/data. This constitutes a simple cross-origin GET request, as it employs a safe method (GET) without custom request headers or restricted Content-Type values. The client-side code for initiating this request is straightforward, relying on the default Fetch options that align with simple request criteria: 
javascript
fetch('https://api.example.com/data')
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error('Request failed:', error));
The browser automatically appends the Origin header to the request, specifying Origin: https://www.example.com, to inform the server of the requesting site's origin. A network trace of this interaction reveals the following exchange: Request: 
GET /data HTTP/1.1
Host: api.example.com
Origin: https://www.example.com
...
Response (successful case): 
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.example.com
Content-Type: application/json
...

{"message": "Sample data"}
The server must include the Access-Control-Allow-Origin response header matching the request's Origin (or using a wildcard * for broader access) to permit the cross-origin read. If the response headers align appropriately, the browser delivers the JSON data to the JavaScript, enabling successful processing; otherwise, it blocks access and logs a CORS error in the console, such as "No 'Access-Control-Allow-Origin' header is present on the requested resource." Unlike requests requiring a preflight check, this simple request proceeds directly without an initial OPTIONS probe.

Preflight Request Example

Consider a scenario where a web page hosted at https://www.example.com attempts to send a POST request to an API endpoint at https://api.example.com/update, including a custom Authorization header with a Bearer token. This request triggers a preflight because the Authorization header is not part of the simple CORS-safelisted request headers, and POST is considered potentially unsafe when combined with non-simple headers. The client-side JavaScript using the Fetch might look like this: 
javascript
fetch('https://api.example.com/update', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer token123'
  },
  body: JSON.stringify({ data: 'example' })
});
This code initiates the cross-origin request, but the browser first sends an OPTIONS preflight request to verify server permissions. The preflight request trace would include the following headers: 
OPTIONS /update HTTP/1.1
Host: api.example.com
Origin: https://www.example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization
If the server approves the request, it responds with a 204 No Content status and the necessary CORS allowance headers, such as: 
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: authorization
Access-Control-Max-Age: 86400
The Access-Control-Max-Age header indicates how long (in seconds) the preflight results can be cached by the , reducing subsequent preflight overhead. Upon successful preflight, the proceeds with the actual request: 
[POST](/page/Post-) /update HTTP/1.1
Host: api.example.com
[Origin](/page/Origin): https://www.example.com
[Authorization](/page/Authorization): Bearer token123
Content-Type: application/[json](/page/JSON)

{"data": "example"}
The then responds to the , including the Access-Control-Allow-Origin header to permit the client to read the response: 
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.example.com
Content-Type: application/json

{"status": "success"}
If the preflight succeeds, the request proceeds as normal, allowing the client to process the response. However, if the rejects the preflight—such as by omitting required allowance headers or returning an error status—the blocks the actual request, preventing any cross-origin and logging a CORS error in the console.

Implementation

Server-Side Configuration

Server-side configuration for Cross-Origin Resource Sharing (CORS) involves inspecting the Origin header in incoming requests and responding with appropriate Access-Control-* headers to indicate which origins are permitted to access the resource. This mechanism allows servers to relax the selectively, enabling cross-origin requests while maintaining security boundaries. The server must evaluate the request's origin against a predefined allowlist or policy before setting headers like Access-Control-Allow-Origin. In practice, implementations vary by or , often using or configuration directives to automate header addition. For with Express, the cors middleware package simplifies this by handling origin validation and header injection. A basic setup permits requests only from a specific origin, such as: 
javascript
const express = require('express');
const cors = require('cors');
const app = express();

const corsOptions = {
  origin: 'https://example.com'
};

app.use(cors(corsOptions));
This configuration checks the Origin header against the specified value and echoes it in Access-Control-Allow-Origin if valid; otherwise, it rejects the request. For , CORS headers can be added via .htaccess files or the main configuration, using the mod_headers module. To allow all origins (not recommended for production due to risks), include: 
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type"
These directives apply to the directory where the .htaccess file resides, ensuring OPTIONS preflight requests receive appropriate responses. More restrictive setups limit origins to specific domains, e.g., Header always set Access-Control-Allow-Origin "https://example.com". Nginx configurations achieve similar results through server blocks in nginx.conf or site-specific files. A common setup for enabling CORS across all origins includes: 
location / {
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
    }
    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
This handles preflight OPTIONS requests explicitly and adds headers to other methods, with the if block ensuring efficient processing. For dynamic origin validation, servers can implement logic to check the Origin header against runtime conditions, such as environment variables or databases, rather than static lists. In Express, this uses a callback in the cors options: 
javascript
const corsOptions = {
  origin: [function](/page/Function) (origin, callback) {
    const allowedOrigins = ['https://example.com', 'https://another.com'];
    if (!origin || allowedOrigins.indexOf(origin) !== -1) {
      callback(null, true);
    } else {
      callback(new Error('Not allowed by CORS'));
    }
  }
};
This approach echoes the validated Origin in the response header, enhancing flexibility for multi-tenant applications while preventing unauthorized access. If no CORS headers are sent in response to a cross-origin request, the browser treats it as an opaque response, which provides no access to the content, status, or headers from client-side JavaScript. Opaque responses occur in "no-cors" mode or when the server omits Access-Control-Allow-Origin, limiting the response to metadata like size for caching purposes but blocking content reading to enforce security. This default behavior ensures that unconfigured servers do not inadvertently expose resources cross-origin.

Handling Credentials and Security

To enable the transmission of credentials such as , HTTP details, and TLS client certificates in cross-origin requests, the client must configure the request accordingly, while the enforces specific response headers for . On the , developers set the credentials mode to "include" using the Fetch API, as in fetch(url, { credentials: 'include' }), or enable it via XMLHttpRequest.withCredentials = true for objects; by default, credentials are omitted to prevent unintended data leakage. The responds by including the Access-Control-Allow-Credentials: true header, which signals to the browser that credentials are permitted, but this requires the Access-Control-Allow-Origin header to specify an exact (e.g., [https](/page/HTTPS)://example.com) rather than the wildcard *, as wildcards are forbidden in credentialed scenarios to avoid broad exposure of sensitive data. These configurations have direct implications for cross-origin and session management. When credentials mode is active and the allows it, the browser includes user-specific data like session cookies or basic headers in the request, enabling secure, stateful interactions such as logged-in API calls from third-party web applications. Similarly, TLS client certificates can be leveraged for across origins, though this depends on the browser's handling of certificate stores. However, third-party cookie restrictions in modern browsers (e.g., SameSite policies) may still block such inclusions independently of CORS settings, emphasizing that CORS alone does not override all credential protections. For basic security in credentialed CORS setups, servers must implement the Vary: Origin response header alongside origin-specific Access-Control-Allow-Origin to mitigate caching attacks, where a shared cache might incorrectly serve one origin's credentialed response to another, potentially exposing private data. Validation of the incoming Origin header against a predefined allowlist of trusted domains is essential, ensuring only authorized origins receive permissive responses and preventing malicious sites from proxying requests. In common API implementations, credentialed CORS is typically restricted to a narrow set of trusted domains, such as an application's frontend domain, to balance usability with security; for instance, a backend server might dynamically echo the validated Origin in Access-Control-Allow-Origin only for origins in an allowlist like https://app.example.com or https://admin.example.com, rejecting all others to limit attack surfaces.

Compatibility and Adoption

Browser Support

Cross-origin resource sharing (CORS) has seen broad browser adoption since its initial implementations in the late 2000s, with partial support appearing first in through the proprietary XDomainRequest API, which provided limited cross-origin capabilities but lacked full CORS compliance, such as support for standard or custom headers. Full CORS support arrived in with partial implementation and in with complete support, while from version 12 onward offered full compatibility. Chrome provided partial support from version 4 (2008) to 12, achieving full support by version 13 (2011); from version 3.5 (2009); with partial support in versions 4 to 5.1 (2009–2011) and full from version 6 (2012). Feature-specific implementations include preflight requests, which are supported in all modern browsers since around , enabling the handling of non-simple requests via OPTIONS method checks. Credentials support, allowing inclusion of cookies and authorization headers via the Access-Control-Allow-Credentials header, aligns closely with basic CORS timelines: full in 4+, 3.5+, 4+, 12+, and +, though older browsers (pre-4.4) exhibited variations, such as stricter handling of TLS client certificates or redirects.
BrowserBasic CORS SupportPreflight SupportCredentials Support
Partial (4–12), Full (13+)Full (13+)Full (4+)
Full (3.5+)Full (3.5+)Full (3.5+)
Partial (4–5.1), Full (6+)Full (6+)Full (4+)
Full (12+)Full (12+)Full (12+)
Partial (8–10 via XDomainRequest), Full (11)Partial (10+), Full (11)Full (11)
As of 2025, CORS enjoys universal support across browsers holding more than 1% global , with no significant compatibility gaps in current versions; tools like Can I use... confirm coverage exceeding 98% worldwide, reflecting its status as a foundational standard.

Specification History

Cross-Origin Resource Sharing (CORS) originated as a response to limitations in the for enabling secure cross-origin HTTP requests. The foundational concept was proposed by the W3C Voice Browser Working Group in as an XML processing instruction for cross-origin access in voice applications, which was later generalized to an HTTP header-based mechanism. This evolution involved contributions from browser vendors, including , which implemented early support in 3.5 in 2009. The W3C published the first Working Draft of the CORS specification on March 17, 2009, defining the protocol for client-side cross-origin requests using headers like Access-Control-Allow-Origin. Subsequent drafts followed, with the Last Call Working Draft released on April 3, 2012, and the specification advancing to Candidate Recommendation status on January 29, 2013. The W3C formalized CORS as a Recommendation on January 16, 2014, establishing it as a stable standard integrated with HTML5 and the XMLHttpRequest Level 2 specification, which it influenced by providing the underlying protocol for cross-origin XHR support. Since 2014, CORS has been maintained as part of the Fetch Living Standard, with the core mechanism last undergoing major updates in that year. The Fetch API, introduced in 2015, enhanced CORS usage by providing a modern, promise-based interface for cross-origin fetches. Minor clarifications and extensions have occurred through 2025, including adjustments for edge cases like private network access via the Private Network Access specification, which extends CORS preflights to prevent unintended exposure of local resources. The standard, often referred to as CORS 1.0 in its initial form, includes unused extensions in the Fetch specification such as report-only modes for testing configurations without enforcement. CORS effectively supersedes older ad-hoc mechanisms for cross-origin data sharing, offering a standardized, server-controlled alternative.

Security and Alternatives

Security Considerations

Misconfigured Cross-Origin Resource Sharing (CORS) can introduce significant vulnerabilities by inadvertently exposing sensitive resources to unauthorized origins. One primary arises from using the wildcard (*) in the Access-Control-Allow-Origin header, which permits any domain to access the resource, potentially allowing malicious websites to read private data or perform unauthorized actions on behalf of the user. This configuration is particularly dangerous in internal networks, where it can enable external attackers to access resources via tricks like intranet.evil-site.com. Another concern involves credential handling, where enabling Access-Control-Allow-Credentials: true without restricting origins can lead to credential leaks, especially in conjunction with (CSRF) attacks. If CORS allows credentialed requests from untrusted origins, attackers may exploit this to steal session cookies or CSRF tokens by tricking users into loading malicious pages that issue cross-origin requests. The W3C specification prohibits combining wildcards with credentials to mitigate this, but improper implementations can still expose data if safe HTTP methods (like GET or HEAD) are not enforced for credentialed endpoints. Origin spoofing attempts, while limited by browsers that automatically set the Origin header and prevent user overrides, often succeed through reflection misconfigurations. Servers that blindly echo the Origin header without validation can be bypassed using crafted subdomains (e.g., trusted-site.attacker.com), granting access to otherwise protected resources. Whitelisting null origins is similarly exploitable via sandboxed iframes, allowing attackers to impersonate trusted contexts. Recent developments highlight ongoing risks in CORS implementations. In 2021, the Private Network Access specification extended CORS with preflight requests to protect private ranges (e.g., 192.168.0.0/16) from public websites, requiring explicit server approval via new headers like Access-Control-Allow-Private-Network: true to prevent CSRF-like attacks on local devices such as routers. In 2025, multiple (CVEs) exposed overly permissive CORS in libraries and applications; for instance, CVE-2024-8487 in modelscope/agentscope v0.0.4 allowed any external domain to access , risking data disclosure and system compromise (CVSS 9.8). Similarly, CVE-2024-8024 in netease-youdao/qanything 1.4.1 enabled bypasses, potentially leaking sensitive information (CVSS 7.5). Later in 2025, CVE-2025-8036 revealed a browser-side vulnerability in major browsers (Chromium-based, Edge, , ) where CORS policies could be bypassed via attacks, enabling unauthorized access to services on arbitrary ports and exposing private networks; users are advised to update browsers promptly (disclosed October 2025). Additionally, the Top 10 for 2025 lists CORS misconfigurations as a key example under A01: , emphasizing their role in enabling unauthorized access. To mitigate these risks, administrators should adopt strict best practices, such as specifying exact trusted origins in Access-Control-Allow-Origin (e.g., https://[example.com](/page/Example.com)) rather than wildcards, and enforcing for all endpoints to prevent man-in-the-middle interception of requests. Rate limiting preflight OPTIONS requests helps thwart denial-of-service attempts that probe for misconfigurations, while avoiding exposure of sensitive endpoints via CORS altogether—opting instead for server-side —further reduces the . Auditing CORS configurations is essential for identifying vulnerabilities; tools like can intercept headers to detect wildcards, reflected origins, or invalid credential settings, enabling manual testing of cross-origin requests from simulated malicious domains. Regular scans with such tools, combined with validation of origin whitelists using exact string matching, ensure robust protection against exploitation.

Comparison with JSONP

JSONP, or JSON with Padding, is a legacy workaround for the () that enables cross-origin data retrieval by dynamically injecting <script> elements into the page. The client specifies a callback name as a query (e.g., ?callback=handleData), and the responds by wrapping the payload in that function call (e.g., handleData({ "data": "value" })), which executes immediately upon loading. This approach leverages the browser's permission to load scripts from any origin but is inherently restricted to GET requests and provides no native error handling, as failed loads simply do not execute the callback. Despite its simplicity, JSONP suffers from several critical limitations and risks. It exclusively supports GET methods, precluding , PUT, or other verbs essential for many interactions, and cannot include custom headers or request bodies. Browser caching of tags can also result in outdated responses without reliable invalidation mechanisms. More alarmingly, JSONP introduces severe security vulnerabilities, including (XSS) through unsanitized callback parameters that allow attackers to inject executable code, and cross-site script inclusion (XSSI) exploits that enable leakage of sensitive information like API keys or user data across origins. CORS surpasses JSONP by offering a standardized, server-controlled protocol that accommodates all HTTP methods, custom headers, and request bodies while providing robust error reporting via HTTP status codes and the ability to include credentials such as cookies or authorization tokens. Unlike JSONP's script-based execution, CORS integrates seamlessly with modern APIs like fetch() and XMLHttpRequest, ensuring safer and more flexible cross-origin access. Following CORS's elevation to W3C Recommendation in January 2014 and near-universal browser adoption, JSONP has been progressively deprecated since approximately 2015, rendering it obsolete for contemporary development. To migrate JSONP endpoints to CORS, developers configure servers to emit headers like Access-Control-Allow-Origin and Access-Control-Allow-Methods in responses, eliminating the need for callback wrapping and enabling direct use of standard techniques. This transition enhances security and maintainability, and is strongly discouraged for new implementations due to its outdated nature and persistent risks.

References

  1. [1]
    https://fetch.spec.whatwg.org/#cors-protocol
  2. [2]
    Cross-Origin Resource Sharing (CORS) - HTTP - MDN Web Docs
    Oct 30, 2025 · Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its ownCross-Origin Resource Policy · Reason: Credential is not... · Reason: CORS header
  3. [3]
    Fetch Standard
    Oct 10, 2025 · The CORS-unsafe request-header names , given a header list headers , are determined as follows: Let unsafeNames be a new list. Let ...
  4. [4]
    https://fetch.spec.whatwg.org/#http-origin
  5. [5]
    https://fetch.spec.whatwg.org/#simple-header
  6. [6]
    https://fetch.spec.whatwg.org/#cors-preflight-request
  7. [7]
    https://fetch.spec.whatwg.org/#http-access-control-expose-headers
  8. [8]
    Same-origin policy - Security - MDN Web Docs - Mozilla
    Sep 26, 2025 · The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another ...Changing origin · Cross-origin network access · Cross-origin script API access
  9. [9]
    Definitive Guide to Same-origin Policy (SOP) - Invicti
    This white paper reviews the history, definition, misconceptions and uses of the Same-origin Policy. It examines in detail how it is implemented to DOM ...
  10. [10]
    Why was the Same-origin policy originally introduced (before ...
    Jan 17, 2020 · However, when the SOP was introduced (JavaScript 1.0, in Netscape Navigator 2.0 in 1995), there was no way to send a request from JavaScript.
  11. [11]
    Same-origin policy | Articles | web.dev
    The same-origin policy is a browser security feature that restricts how documents and scripts on one origin can interact with resources on another origin.
  12. [12]
    Same-origin policy (SOP) | Web Security Academy - PortSwigger
    The same-origin policy is a web browser security mechanism that aims to prevent websites from attacking each other.
  13. [13]
    Fetch Standard
    Summary of each segment:
  14. [14]
    WebSockets support in ASP.NET Core - Microsoft Learn
    Oct 13, 2025 · The protections provided by CORS don't apply to WebSockets. Browsers do not: Perform CORS pre-flight requests.
  15. [15]
    https://fetch.spec.whatwg.org/#cors-safelisted-method
  16. [16]
    https://www.w3.org/TR/cors/#introduction
  17. [17]
    https://fetch.spec.whatwg.org/#forbidden-method
  18. [18]
    https://fetch.spec.whatwg.org/#cors-safelisted-request-header
  19. [19]
    https://www.w3.org/TR/cors/#origin-header
  20. [20]
    https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
  21. [21]
    https://www.w3.org/TR/cors/#resource-processing-model
  22. [22]
    https://fetch.spec.whatwg.org/#http-access-control-allow-origin
  23. [23]
    https://www.w3.org/TR/cors/#user-agent-processing-model
  24. [24]
    https://www.w3.org/TR/cors/#preflight-request
  25. [25]
    https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
  26. [26]
    https://www.w3.org/TR/cors/#simple-requests
  27. [27]
    Preflight request - Glossary - MDN Web Docs
    Jul 11, 2025 · A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers.
  28. [28]
    https://fetch.spec.whatwg.org/#cors-preflight-fetch
  29. [29]
    https://www.w3.org/TR/cors/#access-control-allow-methods-response-header
  30. [30]
    https://www.w3.org/TR/cors/#access-control-max-age-response-header
  31. [31]
    https://fetch.spec.whatwg.org/#cors-preflight-cache
  32. [32]
    https://fetch.spec.whatwg.org/#concept-network-error
  33. [33]
    https://fetch.spec.whatwg.org/#origin-header
  34. [34]
    https://wicg.github.io/private-network-access/#preflight-request
  35. [35]
    https://fetch.spec.whatwg.org/#http-access-control-allow-methods
  36. [36]
    https://fetch.spec.whatwg.org/#http-access-control-allow-headers
  37. [37]
    https://fetch.spec.whatwg.org/#http-access-control-max-age
  38. [38]
    https://fetch.spec.whatwg.org/#http-access-control-allow-credentials
  39. [39]
    https://wicg.github.io/private-network-access/#allow-private-network-response-header
  40. [40]
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#simple_requests
  41. [41]
    Access-Control-Allow-Origin header - HTTP - MDN Web Docs
    Jul 4, 2025 · The HTTP Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.
  42. [42]
    CORS errors - HTTP - MDN Web Docs - Mozilla
    Jul 4, 2025 · Cross-Origin Resource Sharing (CORS) is a standard that allows a server to relax the same-origin policy. This is used to explicitly allow some ...CORS request did not succeed · Reason: CORS header...
  43. [43]
    Express cors middleware
    CORS is a node.js package for providing a Connect/Express middleware that can be used to enable CORS with various options.
  44. [44]
    https://fetch.spec.whatwg.org/#concept-response-opaque
  45. [45]
    https://fetch.spec.whatwg.org/#concept-request-credentials-mode
  46. [46]
    Enable Cross-Origin Requests (CORS) in ASP.NET Core
    Sep 29, 2025 · This article shows how Cross-Origin Resource Sharing (CORS) is enabled in an ASP.NET Core app. Browser security prevents a web page from making requests to a ...
  47. [47]
    Cross-Origin Resource Sharing | Can I use... Support tables for HTML5, CSS3, etc
    ### Browser Support for CORS
  48. [48]
    https://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
  49. [49]
    Access-Control-Allow-Credentials header - HTTP - MDN Web Docs
    Jul 4, 2025 · The HTTP Access-Control-Allow-Credentials response header tells browsers whether the server allows credentials to be included in cross-origin HTTP requests.
  50. [50]
    How to win at CORS - JakeArchibald.com
    Oct 12, 2021 · The proposal by the Voice Browser Working Group was generalised using HTTP headers, and that became Cross-Origin Resource Sharing, or CORS.
  51. [51]
    Cross-Origin Resource Sharing - W3C
    Mar 17, 2009 · XMLHttpRequest Level 2 includes support for cross-origin requests. 2 Conformance Criteria. This specification is written for servers and user ...
  52. [52]
    Cross-Origin Resource Sharing publication history | Standards - W3C
    Cross-Origin Resource Sharing publication history ; 29 January 2013, Candidate Recommendation Snapshot ; 3 April 2012, Last Call Working Draft ; 27 July 2010 ...
  53. [53]
    Fetch Standard
    Oct 10, 2025 · Used to ensure requests are made to same-origin URLs. Fetch will return a network error if the request is not made to a same-origin URL. " cors ...
  54. [54]
    Fetch API - MDN Web Docs
    Apr 9, 2025 · The Fetch API uses Request and Response objects (and other things involved with network requests), as well as related concepts such as CORS and ...Using Fetch · Window: fetch() method · WorkerGlobalScope.fetch() · Request
  55. [55]
    Private Network Access - GitHub Pages
    Sep 26, 2024 · This document specifies modifications to Fetch and HTML which are intended to mitigate the risks associated with unintentional exposure of devices and servers.
  56. [56]
    Testing Cross Origin Resource Sharing - OWASP Foundation
    CORS defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed. HTTP headers are used to accomplish ...Testing Cross Origin... · How To Test · Cors Misconfiguration
  57. [57]
    What is CORS (cross-origin resource sharing)? - PortSwigger
    Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain.Missing: supersedes older
  58. [58]
    What is CORS? A Complete Guide to Cross-Origin Resource Sharing
    Jul 21, 2025 · CORS, or Cross-Origin Resource Sharing, is a browser security feature that controls how web pages can request resources from domains other than ...
  59. [59]
    Private Network Access: introducing preflights | Blog
    Jan 6, 2022 · The specification also extends the Cross-Origin Resource Sharing (CORS) protocol so that websites must now explicitly request a grant from ...Missing: 2020-2025 | Show results with:2020-2025<|separator|>
  60. [60]
    CVE-2024-8487 Detail - NVD
    Mar 20, 2025 · A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not ...
  61. [61]
    CVE-2024-8024 Detail - NVD
    Mar 20, 2025 · This vulnerability allows an attacker to bypass the Same-Origin Policy, potentially leading to sensitive information exposure. Properly ...
  62. [62]
    Cross Site Script Inclusion (XSSI) - WSTG - v4.1 | OWASP Foundation
    Summary. Cross Site Script Inclusion (XSSI) vulnerability allows sensitive data leakage across-origin or cross-domain boundaries.Testing For Cross Site... · Summary · How To Test
  63. [63]
    jQuery's JSONP Explained with Examples - SitePoint
    Jun 23, 2016 · JSONP has several limitations. It only supports GET requests, not POST or other HTTP methods. It also lacks error handling capabilities.
  64. [64]
    [PDF] We Still Don't Have Secure Cross-Domain Requests - USENIX
    Aug 15, 2018 · Cross origin resource sharing (CORS) is proposed to solve the problems of JSON-P, and to provide a proto- col support of authorized access cross ...
  65. [65]
    Using CORS and JSONP to make cross-origin requests - GitHub Docs
    Using CORS and JSONP to make cross-origin requests. You can make API requests across domains using cross-origin resource sharing (CORS) and JSONP callbacks.