Cross-Origin Resource Sharing (CORS)
The browser’s same-origin policy blocks reading a resource from a different origin. This mechanism stops a malicious site from reading another site’s data. The same-origin policy tells the browser to block cross-origin requests. When you want to get a public resource from a different origin, the resource-providing server needs to tell the browser “This origin where the request is coming from can access my resource”. The browser remembers that and allows cross-origin resource sharing.
In angular when front end request origin is different the browser stops processing response from the server.
Request has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Same-Origin Policy
- The same-origin policy fights one of the most common cyber-attacks out there: cross-site request forgery.
- If you have logged into FB your info would be stored in Cookie and would be tagged along when the request is made every time
- Every time you re-visit the FB tab and click around the app, you don’t have to sign in again. Instead, the API will recognize the stored session cookie upon further HTTP requests.
The only trouble is that the browser automatically includes any relevant cookies stored for a domain when another request is made to that exact domain. - Say you clicked on a particularly trick popup ad, opening evil-site.com.The evil site also has the ability to send a request to FB.com/api. Since the request is going to the FB.com domain, the browser includes the relevant cookies. Evil-site sends the session cookie, and gains authenticated access to FB. Your account has been successfully hacked with a cross-site request forgery attack.
- At this point, browser will step in and prevent the malicious code from making an API request like this. It will stop evil-site and say “Blocked by the same-origin policy.
How Browser works underhood?
- The browser checks for the request origins of the web application and the Server origins response match
- The origin is the combination of the protocol, host, and port.
For example, in https://www.FB.com, the protocol is https://, the host is www.FB.com, and the hidden port number is 5400 (the port number typically used for https).
- To conduct the same-origin check, the browser accompanies all requests with a special request header
that sends the domain information to receiving server - For example, for an app running on localhost:3000, the special request format looks like this:
Origin: http://localhost:3000
Reacting to this special request, the server sends back a response header. This header contains an Access-Control-Allow-Origin key,
to specify which origins can access the server’s resources. The key will have one of two values:One: the server can be really strict, and specify that only one origin can access it:
Access-Control-Allow-Origin: http://localhost:3000Two: the server can let the gates go wide open, and specify the wildcard value to allow all domains to access its resources:
Access-Control-Allow-Origin: * - Once the browser receives this header information back, it compares the frontend domain with the Access-Control-Allow-Origin
value from the server. If the frontend domain does not match the value, the browser raises the red flag and blocks the API
request with the CORS policy error.
The above solution works for development. How about in production.
To address such issues, the proxy is used between client and server.
Request from Client -> Proxy Server -> Server Respose from Server -> Proxy Server(appends origin) -> Client
Now what the proxy does is it appends the s Access-Control-Allow-Origin: * in the header before the response is sent to the client browser