Cross-Origin Resource Sharing

Cross-Origin Resource Sharing, or CORS, defines a way to enable client-side cross-origin requests. So, if this API is used on then a resource on could opt in to this( e.g. by specifying Access-Control-Allow-Origin: as a response header).

The problem it aims to solve is that AJAX calls that use XMLHttpRequest to do cross-domain requests (e.g. Site A wants to access a script on Site B) are forbidden by web browsers (see Same-origin policy:

Note: WebSockets are not subject to the same-origin policy.

CORS is a W3 Recommendation released on 16th January 2014. See

Alternatives to CORS are:

  • setting the document.domain property
  • Cross-document messaging – e.g. calling the postMessage() method on a Window object


Browser support for CORS:

  • >= Firefox 3.5
  • >= Safari 4
  • >= Chrome 3
  • >= IE10 (IE8+ has partial support). i.e. IE9 in Compatibility View would not support CORS
  • >= Opera 12

Leave a Reply

Your email address will not be published. Required fields are marked *