Cross-Origin Resource Sharing

Cross-Origin Resource Sharing, or CORS, defines a way to enable client-side cross-origin requests. So, if this API is used on http://siteA.org then a resource on http://siteB.org could opt in to this( e.g. by specifying Access-Control-Allow-Origin: http://siteA.org as a response header).

The problem it aims to solve is that AJAX calls that use XMLHttpRequest to do cross-domain requests (e.g. Site A wants to access a script on Site B) are forbidden by web browsers (see Same-origin policy: http://en.wikipedia.org/wiki/Same-origin_policy).

Note: WebSockets are not subject to the same-origin policy.

CORS is a W3 Recommendation released on 16th January 2014. See http://www.w3.org/TR/access-control/

Alternatives to CORS are:

  • setting the document.domain property
  • Cross-document messaging – e.g. calling the postMessage() method on a Window object
  • JSONP

http://en.wikipedia.org/wiki/Same-origin_policy#Relaxing_the_same-origin_policy

 

Browser support for CORS:

  • >= Firefox 3.5
  • >= Safari 4
  • >= Chrome 3
  • >= IE10 (IE8+ has partial support). i.e. IE9 in Compatibility View would not support CORS
  • >= Opera 12

Automatic Post Tagger

Not quite as awesome as an automatic post categoriser but still pretty handy:

http://wordpress.org/extend/plugins/automatic-post-tagger/