![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/bb-bh-What-is-CORS-1.jpg\")
<\/p>\n<\/p>\n
The dreaded CORS error is the bane of many a web developer\u2019s day-to-day life. Even for experts, it can be eternally frustrating. Today, we\u2019re digging into CORS, starting with the basics and working up to sharing specific code samples to help you enable CORS for your web development project. What is CORS? Why do you need it? And how can you enable it to save time and resources?<\/p>\n
We\u2019ll answer those questions so you can put the CORS bane behind you.<\/p>\n
CORS stands for cross-origin resource sharing. To define CORS, we first need to explain its counterpoint\u2014the same-origin policy, or SOP. The SOP is a policy that all modern web browsers use for security purposes, and it dictates that a web address with a given origin can only request data from the same origin. CORS is a mechanism that allows you to bypass the SOP so you can request data from websites with different<\/em> origins.<\/p>\n Let\u2019s break that down piece by piece, then we\u2019ll get into why you\u2019d want to bypass the same-origin policy in the first place.<\/p>\n All websites have an origin, and it is defined by the protocol, domain, and port of its URL.<\/p>\n You\u2019re probably familiar with the working parts of a URL, but they each have a different function. The protocol, also known as the scheme, identifies the method for exchanging data. Typical protocols are http, https, or mailto. The domain, also known as the hostname, is a specific webpage\u2019s unique identifier. You may not be as familiar with the port as it\u2019s not normally visible in a typical web address. Just like a port on the water, it\u2019s the connection point where information comes in and out of a server. Different port numbers specify the types of information the port handles.<\/p>\n When you understand what an origin is, the \u201ccross-origin\u201d part of CORS makes a bit more sense. It simply means web addresses with different origins. In web addresses with the same origin, the protocol, domain, and port all match.<\/p>\n The same-origin policy was developed and implemented as a security measure against a specific website vulnerability that was discovered and exploited in the 2000s. Before the same-origin policy was in place, bad actors could use cookies stored in people\u2019s browsers to make requests to other websites illicitly. This is known as cross-site request forgery, or CSRF, pronounced \u201csea surf.\u201d It\u2019s also known as \u201csession riding.\u201d Tubular.<\/p>\n Let\u2019s say you log in to Netflix on your laptop to add Ridley Scott\u2019s 1982 classic, \u201cBlade Runner\u201d to your queue, as one does. You click \u201cRemember Me\u201d so you don\u2019t have to log in every time, and your browser keeps your credentials stored in a cookie so that the Netflix site knows you are logged in no matter where you navigate within their site.<\/p>\n Afterwards, you\u2019re bored, so you fall down an internet rabbit hole wondering why \u201cBlade Runner\u201d is called \u201cBlade Runner\u201d when there are few blades and little running. You end up on a site about samurai swords that happens to be malicious\u2014it has a script in its code that uses your authentication credentials stored in that cookie to make a request to Netflix that can change your address and add a bunch of DVDs to your queue (also, it\u2019s 2006, and this actually happened<\/a>). You\u2019ve become a victim of cross-site request forgery.<\/p>\n To thwart this threat, browsers enabled the same-origin policy to prohibit requests from one origin to another.<\/p>\n While the same-origin policy helped stop bad actors from nefariously accessing websites, it posed a problem\u2014sometimes you need or want assets and data from different origins. This is where the \u201cresource sharing\u201d part of cross-origin resource sharing comes in.<\/p>\n CORS allows you to set rules governing which origins are allowed to bypass the same-origin policy so you can share resources from those origins.<\/p>\n For example, you might host your website\u2019s front end at www.catblaze.com, but you host your back-end API at api.catblaze.com. Or, you might need to display a bunch of cat videos stored in Backblaze B2 Cloud Storage on your website, www.catblaze.com<\/a> (more on that below).<\/p>\n Let\u2019s say you have a website, and you dabble in some coding. You\u2019re probably thinking, \u201cI can already use images and stuff from other websites. Do I need CORS?\u201d And you\u2019re right to ask. Most browsers allow simple http requests like But some assets, like fonts or iframes, might not work\u2014then, you can use CORS\u2014but if you\u2019re a casual user, you can probably stop here.<\/p>\n Coding Explainer: What Is an http Request?<\/strong><\/p>\n An http request is the way you, the client, use code to talk to a server. A complete http request includes a request line, request headers, and a message body if necessary. The request line specifies the method of the request. There are generally eight types:<\/p>\n After the method, the request line also specifies the path of the URL the method applies to as well as the http version.<\/p>\n The request headers communicate some specifics around how you want to receive the information. There are usually a whole bunch of these. (Wikipedia has a good list<\/a>.) They\u2019re typically formatted thusly: Finally, the message body contains anything you might want to send. For example, if you use the method People use cloud storage for all manner of data storage purposes<\/a>, and most do not need to use CORS to access resources stored in a cloud instance. For example, you can make API calls to Backblaze B2 from any computer to use the resources you have stored in your storage buckets. If you\u2019re running a mobile application and transferring data back and forth to Backblaze B2, for instance, you don\u2019t need CORS. The mobile application doesn\u2019t rely on a web browser.<\/p>\n You only need CORS if you\u2019re specifically running code inside of a web browser and you need to make API calls from the browser to Backblaze B2. For example, if you\u2019re using an in-browser video player and want to play videos stored in Backblaze B2.<\/p>\n Fortunately, if you do<\/em> need CORS, Backblaze B2 allows you to configure CORS to your exact specifications while other cloud providers may have completely open CORS policies. Why is that important? An open CORS policy makes you vulnerable to CSRF attacks. To continue with the video example, let\u2019s say you\u2019re storing a bunch of videos that you want to make available on your website. If they\u2019re stored with a cloud provider that has an open CORS policy, you have two choices\u2014open or closed. You pick open so that your website visitors can call up those videos on demand, but that leaves you vulnerable to a CSRF that could allow a bad actor to download your videos. With Backblaze, you can specify the exact CORS rules you need.<\/p>\n If you are using Backblaze B2 to store data that will be displayed in a browser, or you\u2019re just curious, read on to learn more about using CORS. CORS has saved developers lots of time and money by reducing maintenance effort and code complexity.<\/p>\n Unlike simple A preflight request, also known as an A preflight request has the following headers:<\/p>\n The web server then responds with the following headers:<\/p>\n The values that follow these headers must match the values specified in the preflight request. If so, the browser will permit the actual CORS request to come through.<\/p>\n To provide an example for setting CORS up, we\u2019ll use Backblaze B2. By default, the Backblaze B2 servers will say “no” to preflight requests. Adding CORS rules to your bucket tells Backblaze B2 which preflight requests to approve. You can enable CORS in the Backblaze B2 UI if you only need to allow one, specific origin or if you want to be able to share the bucket with all origins.<\/p>\nWhat Is an Origin?<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/Site-Name-Transparent-1024x292.png\"){kind=spacer}
<\/p>\nWhat Is the Same-origin Policy?<\/strong><\/h3>\n
Why Do You Need CORS?<\/strong><\/h2>\n
Do I Need CORS?<\/strong><\/h2>\n
get<\/code>, head<\/code>, and post<\/code> without requiring CORS rules to be set in advance. Embedding images from other sites, for example, typically requires a get<\/code> request to grab that data from a different origin. If that\u2019s all you need, you\u2019re good to go. You can use simple requests to embed images and other data from other websites without worrying about CORS.<\/p>\n\n\n
get<\/code>: \u201cI want something from the server.\u201d<\/li>\nhead<\/code>: \u201cI want something from the server, but only give me the headers, not the content.\u201d<\/li>\npost<\/code>: \u201cI want to send something to the server.\u201d<\/li>\nput<\/code>: \u201cI want to send something to the server that replaces something else.\u201d<\/li>\ndelete<\/code>: …self-explanatory.<\/li>\npatch<\/code>: \u201cI want to change something on the server.\u201d<\/li>\noptions<\/code>: \u201cIs this request going to go through?\u201d (This one is important for CORS!)<\/li>\ntrace:<\/code> \u201cShow me what you just did.\u201d Useful for debugging.<\/li>\n<\/ul>\nname:value<\/code>. For example:<\/p>\naccept:text\/plain<\/code> means you want the response to be in text format.<\/p>\npost<\/code>, the message body would contain what you want to post.<\/p>\n<\/div>\nDo I Need CORS With Cloud Storage?<\/strong><\/h3>\n
How Does CORS Work?<\/strong><\/h2>\n
get<\/code>, head<\/code>, and post<\/code> requests, some types of requests can alter the origin\u2019s data. These include requests like delete<\/code>, put<\/code>, and patch<\/code>. Any type of request that could alter the origin\u2019s data will trigger CORS, as will simple requests that have non-standard http headers or requests in certain programming languages like AJAX. When CORS is triggered, the browser sends what\u2019s called a preflight request to see if the CORS rules allow the request.<\/p>\nWhat Is a Preflight Request?<\/strong><\/h3>\n
options<\/code> request, asks the server if it’s okay to make the CORS request. If the preflight request comes back successfully, then the browser will complete the actual request. Few other systems in computing do this by default, so it\u2019s important to understand when using CORS.<\/p>\n\n
origin<\/code>: Identifies the origin from which the CORS request originates.<\/li>\naccess-control-request-method<\/code>: Identifies the method of the CORS request.<\/li>\naccess-control-request-headers<\/code>: Lists the headers that will be included in the CORS request.<\/li>\n<\/ul>\n\n
access-control-allow-origin<\/code>: Confirms the origin is allowed.<\/li>\naccess-control-allow-method<\/code>: Confirms the methods are allowed.<\/li>\naccess-control-allow-headers<\/code>: Confirms the headers are allowed.<\/li>\n<\/ul>\nSetting CORS Up: An Example<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/image2-1-1024x583.png\")
![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/image4-1024x926.png\")
![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/image8-1024x844.png\")
<\/p>\n![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/image3-1024x844.png\")
<\/p>\n![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/image7-1024x844.png\")
<\/p>\n![\"\"](\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/10\/image1-1024x844.png\")
<\/p>\n