Cross-Origin Resource Sharing (CORS) and Same-Origin Policy Explained

This article provides a comprehensive explanation of Cross-Origin Resource Sharing (CORS) and the Same-Origin Policy, two fundamental concepts in web security. It begins by introducing the Same-Origin Policy as a core security strategy that restricts how documents or scripts from one origin can interact with resources from another origin.

The article explains what constitutes the same origin - matching protocol, host, and port - and provides examples comparing different URLs. It then details the three main aspects of the Same-Origin Policy: DOM access restrictions, web data limitations, and network communication restrictions.

The text covers various security threats that the Same-Origin Policy helps prevent, including XSS attacks, SQL injection, OS command injection, HTTP header injection, and CSRF attacks. It emphasizes how these restrictions protect user privacy and data security.

The article then transitions to CORS, explaining it as a mechanism that allows controlled cross-origin resource sharing. It clarifies the distinction between browser restrictions and CORS interception, introducing concepts like CORB (Cross-Origin Read Blocking) that prevent malicious code from accessing cross-origin data.

Detailed explanations of simple requests versus preflight requests are provided, including the specific conditions that define simple requests (HTTP methods, headers, and other constraints). The article includes practical examples showing how preflight requests work with OPTIONS methods and the various CORS headers like Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Allow-Origin, and Access-Control-Max-Age.

Special attention is given to credentialed requests and the restrictions around using wildcard (*) values for security-sensitive headers. The article concludes with a summary of the complete request flow and the importance of these mechanisms in preventing cross-origin security risks.