Same and Cross Origin Policy

2020-07-14

Contents

Same-Origin Policy (SOP)

Javascript code can only access data from the same origin (scheme + host + port)
Very limited access to cross-origin sites (unless server is configured to allow)
Scripts, images, static files that remain relatively constant often are not protected by SOP
Dynamic content is often protected by SOP

Allowing cross-origin

Why Allow

To allow API endpoints that are located on a different (sub)domain
Scripts, images, content that is hosted on a different domain

Headers

In order for cross-origin requests to work, the browser must receive several special headers from the server response

Access-Control-Allow-Origin - List of origins allowed
Access-Control-Allow-Methods - List of methods allowed
Access-Control-Allow-Headers - List of non-standard headers
Access-Control-Max-Age - Value in secs to cache preflight req

Browsers often request these headers through the OPTION method