Chapter 1. The Core of CORS


This chapter covers

  • Which issues CORS solves
  • How a CORS request works
  • The benefits of CORS

Suppose you’re building a web mashup to load photos from the New York Public Library’s (NYPL) Flickr page and display them on your own page. What would the code look like? You could start with an HTML page to display the photos, add JavaScript code to load the photos from the Flickr page, and display them on the page. Pretty straightforward, right?

But if you were to run this code in the browser, it wouldn’t work because the browser’s same-origin policy limits client code from making HTTP requests to different origins. This means that a web page running from your desktop or web server can’t make an HTTP request to

Cross-Origin Resource Sharing, or CORS, was built to help solve this issue. Before CORS, developers would need to go to great lengths to access APIs from JavaScript clients in the browser. CORS enables cross-origin requests in a safe, standard manner. From a client’s perspective, CORS is awesome because it opens up a new world of APIs that previously wasn’t available to browser JavaScript. From a server’s perspective, CORS is awesome because it allows the server to open up its APIs to a new world of users.

This chapter gives an overview of what CORS is and how it’s used. It begins by reviewing CORS’s features and benefits. It then walks through the code to make a CORS request.

1.1. What is CORS?

1.2. CORS by example

1.3. Benefits of CORS

1.4. Summary