|
Size: 3039
Comment:
|
Size: 3237
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 6: | Line 6: |
== Headers == * https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Headers Response headers * Access-Control-Allow-Origin * Access-Control-Allow-Credential == PHP example == |
CORS (cross origin resource sharing)
Cross-Origin Resource Sharing (CORS) is a security concept that allows restricting the resources implemented in web browsers. It prevents the JavaScript code producing or consuming the requests against different origin.
The CORS standard describes new HTTP headers which provide browsers a way to request remote URLs only when they have permission
Headers
Response headers
- Access-Control-Allow-Origin
- Access-Control-Allow-Credential
PHP example
read.example.org/index.php
1 <?php
2 header("Content-type:application/json");
3 header("Cache-Control: no-cache");
4 header("Pragma: no-cache");
5 header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN'] );
6 header("Access-Control-Allow-Credentials: true");
7 session_start();
8 $user = $_SESSION["user"];
9
10 echo("{\"key\":\"readData\" , \"user\": \"" . $user . "\" }");
11 ?>
auth.example.org/index.php
1 <?php
2 header("Content-type:application/json");
3 header("Cache-Control: no-cache");
4 header("Pragma: no-cache");
5 header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
6 header("Access-Control-Allow-Credentials: true");
7
8 session_set_cookie_params(0, '/', '.example.org');
9 session_start();
10
11 $_SESSION["user"] = "userx " . time();
12
13 echo("{\"key\":\"authData\"}");
14 ?>
app.example.org/index.html
1 <html>
2 <head>
3 <script type="text/javascript" src="https://code.jquery.com/jquery-2.2.4.min.js"></script>
4
5 <script>
6 $(document).ready(function(){
7 console.log('Iooo');
8
9 $.ajax({
10 url: "http://auth.example.org/",
11 xhrFields: { withCredentials: true },
12 success: function(data, textStatus,jqXHR ){ $("#auth").text(data.key); },
13 error: function( jqXHR, textStatus, errorThrown ){console.log(textStatus);}
14 });
15
16 $.ajax({
17 url: "http://read.example.org/",
18 xhrFields: {withCredentials: true},
19 success: function(data,textStatus,jqXHR){ $("#read").text(data.key + ' ' + data.user ); },
20 error: function( jqXHR, textStatus, errorThrown ){console.log(textStatus);}
21 });
22
23 });
24
25 </script>
26 </head>
27 <body>
28 <p id="auth"></p>
29 <p id="read"></p>
30 </body>
31 </html>
Apache vhosts configuration
<VirtualHost *:80>
ServerName app.example.org
DocumentRoot "/var/www/htdocs/app.example.org"
<Directory "/var/www/htdocs/app.example.org">
Require local
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName auth.example.org
DocumentRoot "/var/www/htdocs/auth.example.org"
<Directory "/var/www/htdocs/auth.example.org">
Require local
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName read.example.org
DocumentRoot "/var/www/htdocs/read.example.org"
<Directory "/var/www/htdocs/read.example.org">
Require local
AllowOverride All
</Directory>
</VirtualHost>