It’s every developer’s frustration once in a while to see that big red Access to fetched has been blocked by CORS policy error in your console! 😬 A...
For further actions, you may consider blocking this person and/or reporting abuse
This CS Visualized series is unique and a bomb because of those wonderful diagrammatical GIFs/explanation. I want to thank you for all the hard work you put in your articles.
Thank you! 😃
welcome
This is amazing - great down to earth explanation of how CORS works, but just as important, WHY CORS works. You rock!
If I may add, I think it's missing one of the most important parts of CORS, namely that it is NOT a reliable security measure. As it is an opt-in feature by the browsers, it can easily be bypassed by requesting with
curl
or Postman, or just by installing a browser extension that disables the policy client-side.I've seen many software engineers mistakenly saying "oh, we've secured our endpoints with CORS, no unauthorized request can happen" - which is not true. It may prevent the user from being tricked into insecure flows (as you explained), but it will not stop hackers from explicitly trying to make malicious requests.
Really clear article - gj!
I love when anything is explained visually. This is so well made! Thank you!
Those animations really make it easy to digest the topic.
I might have missed it above but important to note that
Access-Control-Allow-Origin
allows for a single origin value. Otherwise the server will need some middleware to return the header with the right origin value when more than one origin is allowed.developer.mozilla.org/en-US/docs/W...
Ohhh yes! I made the mistake once by padding an array instead haha. I'll update the post accordingly asap :)
Sorry if I'm missing something... But in your very first example:
And it goes through fine... How come this is not a cross origin request? It's a different domain and subdomain isn't it?
I believe that's a typo. Should both be mywebsite.com, otherwise it's a cross-origin request
You are correct. It's just an intro showing a request that works followed by one that fails. They seem similar, but are being affected by the same-origin policy.
api.website.com has to be returning
Access-Control-Allow-Origin: https://www.mywebsite.com
since the second example denies the request coming from anotherdomain.com.Either i dont understand the next couple sentences explaining how to tell if request is cross origin, or there is an error here, because it looks to me that both requests have been cross origin ;)
@pawel Kowalski
You are correct - either this is an error or maybe api.website.com allows the mywebsite.com origin!
Great article, thanks! This article explains it so beautifully that I can send to colleagues back-enders who have a glassy look full of incomprehension when i mention I need CORS in the frontend. (and that happens more often than you think ;-) )
Does CORS affect cURL or wget? Or, does enforcing CORS help?
Good question! By default, CORS is only enabled in user agents (e.g. a browser). So if I were to send the exact same request using cURL in say the terminal, this request wouldn't automatically contain the Origin header and CORS wouldn't be enabled.
If you want to test whether your server has CORS enabled, you can manually add the
Origin
header to the request. If the response contains theAccess-Control-Allow-Origin
header, you know it's working 😃WOW! I'm amazed with the clear explanation. Also Lydia, Could you tell me what software you are using for animations. I so want to work on that. :) . Please !!
Very well done.
One thing I would suggest pointing out to people is the HTTP Method OPTIONS for the Preflight request, and what that means on the server.
The OPTIONS method gives us a great hook to run server-side code that is specific to these preflight requests.
I guess I fell in love with the CS Visualised series right now, can't wait to read many more! 🎉
When I read about the "Origin" which is set on the request I thought "why not spoof it", obviously immediately after that I thought "if that would work I'd be Hans Klok" (I don't know whether that translation of the Dutch phrase works in English) 😅
Very very easy to understand, thanks!!
Im a beginner but I understand so much only because of Animated/Gifs. Thanks is not enough for efforts and Hardwork. But Im jobless. I will definitely show my Gratitude when i get job. Thank you so much Mam❤️
@lydiahallie thank your for this very comprehensive article! Your illustrations and animations make dealing with CORS fun! Small note: The link to "a small blog post" actually shows a page called "essayhawk"?!
Great article, thanks! , thank you so much for your post on CORS! It is a very clear and concise explanation of a topic that can be quite complex. I loved the way you used images and diagrams to illustrate the concepts. This made it very easy to understand, even for someone who doesn't have a strong understanding of web security. I also appreciated the fact that you provided code examples for each scenario. This helped me see how the concepts applied in practice.
Overall, I think this is a great resource for anyone who wants to learn about CORS.
Thanks again for your excellent work!
P.S. I also really enjoy your blog. Keep publishing such useful content!
I wanted to say first that I'm a big fan of your Visualized series! The amount of details and the quality of the animations is extraordinary.
Not-CORS-related question: what did you used for rendering the "SHORCUTS" table? is it plain HTML? It seems like anchor for the "Credentials" section is not working.
Best articles with best GIF's . More power to you Lyndia.
Request : Can you write Blogs on Frontend Architecture.
Hi! This is an amazing post! I have to ask, how do you create these cool visualizations? Interested to try it out 😆
Use eBookmarker to save important topics of this blog and directly navigate to them the next time you visit.
Is it possible/common that some server side error could occur which would prevent the full response from being generated so the Access-Control-Allow-Origin header is never returned on the response. Resulting in the dreaded CORS error. Even if the origin IS allowed?
This is so nicely written. Thanks for this awesome article.
I stand by my words. "YOU'RE THE GWOAT". Thank you for this.
Really good explanation, you are a visual learner, aren't you? :D
Great article, you made what can be a tricky concept so clear!
I am always looking forward to reading your blogs.
They say there are two types of web developers: those that don't understand CORS and dirty, rotten liars. Thanks for proving there's a third option 😎
Great article.
Really nice one. I'm curious to know what tool you used to create the visualisation
How did you make those beautiful gifs ?It is awesome.Great Job!
Thank you for it. It is amazing, I have problems with CORS all the time, but now I have perfect tutorial)
Very nice work, I really enjoyed the visualisations !
Another great and clear explanation! Thanks for taking the time to put this together :)
👍
How do you create such apt animations?
Article was so neat and clean. Clever way of writing 👌
Your visual explanation is perfect for me to understand. Thank you @lydia.
Thank you! These gifs give my brain life!
Fantastic explanations👏
Amazing post. I didn’t realize you wrote this Lydia until I saw your pic at the end. Just saw your honeypot vid the other day. So awesome
Hi, can I translate your article into Chinese? I'll mark the top of the article with a link to your original article.😊
Thanks for the awesome visualization, but what I don't get how is it possible that value of CORS is set on the server, shouldn't it be set on the client, don't that be more secure?
It is very very helpful, Thanks
Thank you lydia for your wonderful hardwork.
Thank you for the article. I have been in web dev for few years but didn't know about simple and preflighted requests.
Can we fake an "origin" header by manually adding it and access resources..?
Origin
is actually a "forbidden header", you can't manually set it! 😊 We can't fake the Origin header that way.However, making the exact same request outside a browser (eg. cURL) would give you access to the resources!
@lydiahallie What are the tool sets that you are utilizing to create these animations? I love the simplicity and effectiveness? Would love to see a video demo of you creating one of these :)
Great article and best illustration.
Awesome explanation
Beautifully explained as you are. 😍
I love the animated images :b
Thank Lydia,
Your pictures can tell all of the thing that we need!
Thank you for your great post!
Great job💯
Great article! May I know which tool you used to generate these animations?
I think your work is wonderful! Update point Python 😂
Thank you~
awesome stuff there for sure!
Muy buena la explicacion, me ha encantado
how to maker that gifs ?
You can use Screen2Gif :)
I always had trouble understanding why do preflight requests even exist. 😅
Thanks for taking the time time to create those wonderful GIFs. Please keep up the good work.
Hi, thanks for this wonderful explanation. I do have a basic question that when you say same domain does it mean always on the same computer?
No it does not mean that
Great and clear post Lydia. 👍✌️
Check out httptoolkit.tech/will-it-cors/
A nice and quick way to check CORS issues.
Good article easy to follow those animations make it a joy to read thanks.
Can I translate this blog to Thai language?
Thanks
Neat explanation!, which tool do you use to create your .gif animations?
thankui
good article. i like this type of article
black magic specialist in Kerala
This is great! Pure GOLD! :)
Thanks a lot for this super clear explanation!
Wow.. Easy read and understand the concepts
Great work! Thank you!
One of my favorite follows on the web. Thank you for all the hard work you put into the animated gifs! The visual aspect is HUGE for us visual learners
I want to thank you for this great article.
what did you use to make this gif images?
thanks
This is so well done!
What do you use to make your animations? After Effects?
Kudos to your efforts and the elegant concept flow in all your articles in this series. Keep up the good work and my heartfelt gratitude for making these concepts clear to everybody.