This little app is meant to demo and explain CORS (responsibilities of the client as well as the server side in a CORS setup).
The setup is comprised of one application deployed two times to simulate different origins. The service listening on http://localhost:8080
represents the server while http://localhost:8081
acts as the client which wants to access resources of the foreign server-origin.
To start everything up you just have to execute the buildAndRun.sh
script which compiles the app, builds the docker-image and starts up two container instances named cors-server
and cors-client
respectively.
Prerequisites:
- Maven (v3.x) / Java (v8)
- Docker
After both instances are up and running - head over to http://localhost:8081/cors where you can issue AJAX requests to the other origin.
With the pre-defined values you shouldn't have issues when fetching a resource from the other (here http://localhost:8080
) origin. As a quick recap - the IMHO most important CORS headers are:
Access-Control-Allow-Origin
: can only be set to one specific origin which is allowed to fetch from this server. It can also be set to wildcard'*'
but this value is mutually exclusive to"include"
credentials mode (which makes it useless when dealing with auth-cookies/headers).Access-Control-Allow-Credentials
: When a request's credentials mode (Request.credentials
) is"include"
, browsers will only expose the response to frontend JavaScript code if theAccess-Control-Allow-Credentials
value istrue
(see here for more details)Access-Control-Allow-Methods
: all allowed methods which can be used in the actual fetch callAccess-Control-Allow-Headers
: Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Also allows wildcard'*'
but again doesn't work with auth-cookies/header etc.
Additionally, there's also a logging-filter which prints out the requests cookies (just to verify that the browser respects the withCredentials
-flag)
Notice: When does all this apply? Whenever you access (i.e. via AJAX) resources of a different origin - that means the destination differs in either the protocol, domain or port (and that also includes sub-domains). So, i.e.
- from
http://schoeffm.org
tohttps://schoeffm.org
: you need CORS ('cause protocol differs) - from
https://schoeffm.org
tohttps://catalog.schoeffm.org
: you need CORS ('cause domain differs) - from
https://schoeffm.org
tohttps://schoeffm.org:8443
: you need CORS ('cause port differs) - from
https://schoeffm.org/customer
tohttps://schoeffm.org/catalog
: you don't need CORS