What is this about?
Cross-Origin Resource Sharing (CORS) is a specification that enables a truly open access across domain-boundaries. With this site we want to support the adoption of CORS. [more...]
If you have public content that doesn't use require cookie or session based authentication to see, then please consider opening it up for universal JavaScript/browser access. [more...]
Why is CORS important?
It is vital for a number of use cases to be able to perform requests that go beyond a single domain. Currently, this is not easily possible due to the same origin policy. [more...]
CORS defines how browsers and servers communicate when accessing sources across origins using HTTP headers to allow both the browser and the server to know enough about each other to determine if the request or response should succeed or fail. [more...]
How can I participate?
Granting JavaScript clients basic access to your resources simply requires adding one HTTP response header, namely:
Access-Control-Allow-Origin: * Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com
The asterisk permits scripts hosted on any site to load your resources; the space-delimited lists limits access to scripts hosted on the listed servers.
Note: this is compatible with both XMLHttpRequest and XDomainRequest and supported by all the major browsers.
Note: it is also important that CORS headers are supplied in case of client errors (4xx) or server errors (5xx). [more...]
For Apache
Apache can be configured to expose this header using mod_headers, this is enabled by default in Apache however you may want to ensure it's enabled by running the following command:
a2enmod headers
To expose the header you simply add the following line inside
<Directory>
, <Location>
, <Files>
or <VirtualHost>
sections, or within a .htaccess
file:Header set Access-Control-Allow-Origin *
Note: you can also use
add
rather than set
, but be aware that add
can add the header multiple times, so it's likely safer to use set. Eventually, you may need to reload Apache to make sure your changes are applied.For IIS6
To CORS-enable Microsoft IIS6, perform the following steps:
- Open Internet Information Service (IIS) Manager
- Right click the site you want to enable CORS for and go to Properties
- Change to the HTTP Headers tab
- In the Custom HTTP headers section, click Add
- Enter
Access-Control-Allow-Origin
as the header name - Enter
*
as the header value - Click Ok twice
For IIS7
For Microsoft IIS7, merge this into the
web.config
file at the root of your application or site:<?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>
If you don't have a
web.config
file already, or don't know what one is, just create a new file called web.config
containing the snippet above.For Virtuoso
These instance/server-level settings require OpenLink Virtuoso Open Source (VOS) 6.1.3 or later, or Virtuoso Commercial Edition 06.02.3129 or later. [more...]
- In the Virtuoso Conductor, go to Web Application Server → Virtual Domains & Directories.
- Expand the default Interface store.
- Click New Directory.
- Specify the desired Virtual Directory Type, or choose an existing virtual directory to use as a template.
- Click Next.
- Specify the Directory Path value.
- Set the CORS options.
- Cross-Origin Resource Sharing - contains a single wildcard asterisk, i.e.,
*
or a space-delimited list of HTTP server URIs, e.g.,http://example.com:8080 http://foo.example.com
. Scripts originating on the listed HTTP servers are authorized to retrieve the specified resource(s); the wildcard means scripts from any HTTP server will be authorized. For this example, enter the following single URI:http://demo.openlinksw.com
- Reject Unintended CORS check-box - when ticked and the application does not overwrite headers, unmatched Origins will be rejected by sending an empty response.
- Cross-Origin Resource Sharing - contains a single wildcard asterisk, i.e.,
- Click Save changes.
For older versions of Virtuoso, any of the Web Application-level instructions below may be used. Any Virtuoso-based application can implement CORS checking through well-known HTTP functions http_request_header() andhttp_header(), for example:
<?vsp IF (http_request_header (lines, 'Origin', NULL) = 'http://host.org') { http_header ('Access-Control-Allow-Origin: http://host.org\r\n'); } ELSE { RETURN; } -- Additional code here --- ?>
In ExpressJS
app.all('/', function(req, res, next) { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Headers", "X-Requested-With"); next(); }); app.get('/', function(req, res, next) { // Handle the get for this route }); app.post('/', function(req, res, next) { // Handle the post for this route });
In PHP
If you don't have access to configure Apache, you can still send the header from a PHP script. It's a case of adding the following to your PHP scripts:
<?php header("Access-Control-Allow-Origin: *");
Note: as with all uses of the PHP header function, this must be before any output has been sent from the server.
In CGI Scripts
Just output the line:
Access-Control-Allow-Origin: *
... as part of your CGI script's headers, for example, in Perl (using CGI.pm):
print header( -type => 'text/turtle', -content_location => 'mydata.ttl', -access_control_allow_origin => '*', );
or in Python:
print "Content-Type: text/turtle" print "Content-Location: mydata.ttl" print "Access-Control-Allow-Origin: *"
In ASP.NET
If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages:
Response.AppendHeader("Access-Control-Allow-Origin", "*");
Note: this approach is compatible with IIS6, IIS7 Classic Mode, and IIS7 Integrated Mode.
In App Engine
For Python-based applications in Google App Engine, the
self.response.headers.add_header()
method can be used, such as:class CORSEnabledHandler(webapp.RequestHandler): def get(self): self.response.headers.add_header("Access-Control-Allow-Origin", "*") self.response.headers['Content-Type'] = 'text/csv' self.response.out.write(self.dump_csv())
No comments:
Post a Comment