explanation about access-control-allow-origin HOT 4 OPEN

________________________________ From: Vitaly P. <[email protected]> Sent: Thursday, November 2, 2017 3:55:29 PM To: vitvad/Access-Control-Allow-Origin Cc: BHirsch; Author Subject: Re: [vitvad/Access-Control-Allow-Origin] explanation (#47) Read this first https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS Then small addition from me: We have [CLIENT] <---> [BROWSER] <---> [SERVER] Example: We want to request data from CLIENT (http://mysupersite.com) with AJAX on SERVER (http://thirdparty-api.com/hack-the-bank/) How it was and how it is now: 1. XMLHttpRequest v1 - we can't do this with ajax 2. XMLHttpRequest v2 - we can do this if server has header (Access-Control-Allow-Origin: http://mysupersite.com) and client will send header (Origin: http://mysupersite.com) 2.1) When user send ajax request browser always add automatically Origin: header with client url all checks if I can send request performed in browser and on server * server could check that request come with header Origin and if this header contain allowed site could respond with data * browser check that server respond has header Access-Control-Allow-Origin: http://mysupersite.com and allow client to send process request. to make CORS request client actually do 2 requests: 1. Preflighted request https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests which ask server if I can request data from it at all, and what METHOD server support. see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS NOTE: if Preflighted request respond with: Access-Control-Allow-Origin: http://mysupersite.com then browser allow to send real request from that address to get data from (SERVER) 1. real request will have header Origin: So I just intercept requests and response to modify them. For example we want to get data from server http://server.com on client http://cheater.com, but server allow requests only from http://goodboy.com. When user will send ajax request from cheater.com browser will add automatically Origin: http://cheater.com In extension I intercept: * preflight request and respond with Access-Control-Allow-Origin: http://cheater.com to fool browser * real request and rewrite Origin: http://cheater.com to Origin: http://goodboy.com to fool server PS. server could have additional checks - in this case you will not get response from server something like this... if I remember it correctly :) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#47 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ARLap57s2s9kU6eu83PmX0Kp0qi_9OMwks5syh4wgaJpZM4QPLvh>.