Access-Control-Allow-Origin icon indicating copy to clipboard operation
Access-Control-Allow-Origin copied to clipboard

Published 20 hours ago verified publisher icon vitvad

explanation

Open stern0m1 opened this issue 7 years ago • 4 comments

If someone could explain me how this works I would appreciate it. Thanks

stern0m1 avatar Nov 02 '17 05:11 stern0m1

Read this first https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Then small addition from me:

We have [CLIENT] <---> [BROWSER] <---> [SERVER]

Example: We want to request data from CLIENT (http://mysupersite.com) with AJAX on SERVER (http://thirdparty-api.com/hack-the-bank/)

How it was and how it is now:

  1. XMLHttpRequest v1 - we can't do this with ajax
  2. XMLHttpRequest v2 - we can do this if server has header (Access-Control-Allow-Origin: http://mysupersite.com ) and client will send header (Origin: http://mysupersite.com) 2.1) When user send ajax request browser always add automatically Origin: header with client host

Browser and server perform checks if client can request data:

  • server could check that request come with header Origin and if this header contain allowed site could respond with data
  • browser check that server respond has header Access-Control-Allow-Origin: http://mysupersite.com and allow client to send process request.

to make CORS request client actually do 2 requests:

  1. Preflighted request https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests which ask server if I can request data from it at all, and what METHOD server support. see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS

NOTE: if Preflighted request respond with: Access-Control-Allow-Origin: http://mysupersite.com then browser allow to send real request from that address to get data from (SERVER)

  1. real request will have header Origin:

So I just intercept requests and response to modify them in extension.

For example we want to get data from server http://server.com on client http://cheater.com, but server allow requests only from http://goodboy.com. When user will send ajax request from cheater.com browser will add automatically Origin: http://cheater.com

In extension I intercept:

  • preflight request and respond with Access-Control-Allow-Origin: http://cheater.com to fool browser
  • real request and rewrite Origin: http://cheater.com to Origin: http://goodboy.com to fool server

PS. server could have additional checks - in this case you will not get response from server

something like this... if I remember it correctly :)

vitvad avatar Nov 02 '17 19:11 vitvad

Thanks

From: Vitaly P. [email protected] Sent: Thursday, November 2, 2017 3:55:29 PM To: vitvad/Access-Control-Allow-Origin Cc: BHirsch; Author Subject: Re: [vitvad/Access-Control-Allow-Origin] explanation (#47)

Read this first https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Then small addition from me:

We have [CLIENT] <---> [BROWSER] <---> [SERVER]

Example: We want to request data from CLIENT (http://mysupersite.com) with AJAX on SERVER (http://thirdparty-api.com/hack-the-bank/)

How it was and how it is now:

  1. XMLHttpRequest v1 - we can't do this with ajax
  2. XMLHttpRequest v2 - we can do this if server has header (Access-Control-Allow-Origin: http://mysupersite.com) and client will send header (Origin: http://mysupersite.com) 2.1) When user send ajax request browser always add automatically Origin: header with client url

all checks if I can send request performed in browser and on server

  • server could check that request come with header Origin and if this header contain allowed site could respond with data
  • browser check that server respond has header Access-Control-Allow-Origin: http://mysupersite.com and allow client to send process request.

to make CORS request client actually do 2 requests:

  1. Preflighted request https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests which ask server if I can request data from it at all, and what METHOD server support. see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS

NOTE: if Preflighted request respond with: Access-Control-Allow-Origin: http://mysupersite.com then browser allow to send real request from that address to get data from (SERVER)

  1. real request will have header Origin:

So I just intercept requests and response to modify them.

For example we want to get data from server http://server.com on client http://cheater.com, but server allow requests only from http://goodboy.com. When user will send ajax request from cheater.com browser will add automatically Origin: http://cheater.com

In extension I intercept:

  • preflight request and respond with Access-Control-Allow-Origin: http://cheater.com to fool browser
  • real request and rewrite Origin: http://cheater.com to Origin: http://goodboy.com to fool server

PS. server could have additional checks - in this case you will not get response from server

something like this... if I remember it correctly :)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/vitvad/Access-Control-Allow-Origin/issues/47#issuecomment-341539239, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ARLap57s2s9kU6eu83PmX0Kp0qi_9OMwks5syh4wgaJpZM4QPLvh.

stern0m1 avatar Nov 03 '17 06:11 stern0m1

thanks

yancongwen avatar Jul 05 '18 06:07 yancongwen

Could you please copy the answer to Readme.md ?

MNF avatar Jan 31 '19 21:01 MNF