= CORS (cross origin resource sharing) = === https://www.tutorialspoint.com/spring_boot/spring_boot_cors_support.htm === Cross-Origin Resource Sharing (CORS) is a security concept that allows restricting the resources implemented in web browsers. It prevents the Javascript code producing or consuming the requests against different origin. === https://en.wikipedia.org/wiki/Cross-origin_resource_sharing === The CORS standard describes new HTTP headers which provide browsers a way to request remote URLs only when they have permission === https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Examples === Limiting the possible '''Access-Control-Allow-Origin''' values to a set of allowed origins requires code on the server side to check the value of the Origin request header, compare that to a list of allowed origins, and then if the Origin value is in the list, to set the '''Access-Control-Allow-Origin''' value to the same value as the Origin value == Headers == * https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Headers Response headers * Access-Control-Allow-Origin * Access-Control-Allow-Credential == PHP example == === read.example.org/index.php === {{{#!highlight php <?php header("Content-type:application/json"); header("Cache-Control: no-cache"); header("Pragma: no-cache"); header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN'] ); header("Access-Control-Allow-Credentials: true"); session_start(); $user = $_SESSION["user"]; echo("{\"key\":\"readData\" , \"user\": \"" . $user . "\" }"); ?> }}} === auth.example.org/index.php === {{{#!highlight php <?php header("Content-type:application/json"); header("Cache-Control: no-cache"); header("Pragma: no-cache"); header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']); header("Access-Control-Allow-Credentials: true"); session_set_cookie_params(0, '/', '.example.org'); session_start(); $_SESSION["user"] = "userx " . time(); echo("{\"key\":\"authData\"}"); ?> }}} === app.example.org/index.html === {{{#!highlight html <html> <head> <script type="text/javascript" src="https://code.jquery.com/jquery-2.2.4.min.js"></script> <script> $(document).ready(function(){ console.log('Iooo'); $.ajax({ url: "http://auth.example.org/", xhrFields: { withCredentials: true }, success: function(data, textStatus,jqXHR ){ $("#auth").text(data.key); }, error: function( jqXHR, textStatus, errorThrown ){console.log(textStatus);} }); $.ajax({ url: "http://read.example.org/", xhrFields: {withCredentials: true}, success: function(data,textStatus,jqXHR){ $("#read").text(data.key + ' ' + data.user ); }, error: function( jqXHR, textStatus, errorThrown ){console.log(textStatus);} }); }); </script> </head> <body> <p id="auth"></p> <p id="read"></p> </body> </html> }}} === Apache vhosts configuration === {{{ <VirtualHost *:80> ServerName app.example.org DocumentRoot "/var/www/htdocs/app.example.org" <Directory "/var/www/htdocs/app.example.org"> Require local AllowOverride All </Directory> </VirtualHost> <VirtualHost *:80> ServerName auth.example.org DocumentRoot "/var/www/htdocs/auth.example.org" <Directory "/var/www/htdocs/auth.example.org"> Require local AllowOverride All </Directory> </VirtualHost> <VirtualHost *:80> ServerName read.example.org DocumentRoot "/var/www/htdocs/read.example.org" <Directory "/var/www/htdocs/read.example.org"> Require local AllowOverride All </Directory> </VirtualHost> }}}