= CORS (cross origin resource sharing) =
=== https://www.tutorialspoint.com/spring_boot/spring_boot_cors_support.htm ===
Cross-Origin Resource Sharing (CORS) is a security concept that allows restricting the resources implemented in web browsers. It prevents the Javascript code producing or consuming the requests against different origin.

=== https://en.wikipedia.org/wiki/Cross-origin_resource_sharing ===
The CORS standard describes new HTTP headers which provide browsers a way to request remote URLs only when they have permission

=== https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Examples ===
Limiting the possible '''Access-Control-Allow-Origin''' values to a set of allowed origins requires code on the server side to check the value of the Origin request header, compare that to a list of allowed origins, and then if the Origin value is in the list, to set the '''Access-Control-Allow-Origin''' value to the same value as the Origin value

== Headers ==
 * https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Headers

Response headers
 * Access-Control-Allow-Origin
 * Access-Control-Allow-Credential

== PHP example ==

=== read.example.org/index.php ===
{{{#!highlight php
<?php
header("Content-type:application/json");
header("Cache-Control: no-cache");
header("Pragma: no-cache"); 
header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']  ); 
header("Access-Control-Allow-Credentials: true");
session_start();
$user = $_SESSION["user"];

echo("{\"key\":\"readData\" , \"user\": \"" . $user . "\" }");
?>
}}}

=== auth.example.org/index.php ===
{{{#!highlight php
<?php
header("Content-type:application/json");
header("Cache-Control: no-cache");
header("Pragma: no-cache"); 
header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
header("Access-Control-Allow-Credentials: true");

session_set_cookie_params(0, '/', '.example.org');
session_start(); 

$_SESSION["user"] = "userx " .  time();

echo("{\"key\":\"authData\"}");
?>

}}}

===  app.example.org/index.html ===
{{{#!highlight html
<html>
<head>
<script type="text/javascript" src="https://code.jquery.com/jquery-2.2.4.min.js"></script>

<script>
$(document).ready(function(){
  console.log('Iooo');

  $.ajax({
  url: "http://auth.example.org/",
  xhrFields: { withCredentials: true  },
  success:  function(data, textStatus,jqXHR ){ $("#auth").text(data.key); },
  error: function( jqXHR, textStatus, errorThrown ){console.log(textStatus);}
  });

  $.ajax({
  url: "http://read.example.org/",
  xhrFields: {withCredentials: true},
  success: function(data,textStatus,jqXHR){ $("#read").text(data.key + ' ' + data.user  ); },
  error: function( jqXHR, textStatus, errorThrown ){console.log(textStatus);}
  });

});

</script>
</head>
<body>
<p id="auth"></p>
<p id="read"></p>
</body>
</html>
}}}

=== Apache vhosts configuration ===
{{{
<VirtualHost *:80>
    ServerName app.example.org
    DocumentRoot "/var/www/htdocs/app.example.org"
    <Directory "/var/www/htdocs/app.example.org">
      Require local
      AllowOverride All
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName auth.example.org       
    DocumentRoot "/var/www/htdocs/auth.example.org"
    <Directory "/var/www/htdocs/auth.example.org">
      Require local
      AllowOverride All
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName read.example.org       
    DocumentRoot "/var/www/htdocs/read.example.org"
    <Directory "/var/www/htdocs/read.example.org">
      Require local
      AllowOverride All
    </Directory>
</VirtualHost>
}}}

== Spring pointers ==
 * https://spring.io/guides/gs/rest-service-cors/
 * https://www.baeldung.com/spring-cors
Just adding the annotation @CrossOrigin on an endpoint makes it accept all origins,


== Firefox browser tests ==

The URL in the tab where the test is made must be different than the URL called in window.fetch().

=== No CORS support on server side ===
{{{#!highlight javascript
window.fetch('http://localhost:8080/').then( (response)=>{ 
  response.text().then( (data)=>{ console.log(data); } );
});
}}}

Outputs something like
{{{
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8080/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.
Uncaught (in promise) TypeError: NetworkError when attempting to fetch resource. 
}}}

=== CORS support on server side ===
Returns header '''Access-Control-Allow-Origin: *'''

{{{#!highlight javascript
window.fetch('http://localhost:8080/').then( (response)=>{ 
  response.text().then( (data)=>{ console.log(data); } );
});
}}}

Outputs something like
{{{
Hello world
}}}