Print

Cross-origin resource sharing on track to become a W3C Recommendation



Rob Marvin
Email
January 3, 2014 —  Web applications can’t simply take data from multiple sources without permission. A Web security mechanism called same-origin policy (SOP) is what keeps, say, a shopping website from accessing a user’s bank account, or a news site from reading a user’s e-mails despite being logged into both sites at once.

CORS, the cross-origin resource sharing specification published by the World Wide Web Consortium (W3C), is what allows Web developers to incorporate client-side data into their apps. The most recent specification was proposed for W3C Recommendation—considered a Web standard—on Dec. 5.

According to Ian Jacobs, W3C’s head of communications, after the review period ends on Jan. 14, “We should see a stable, completed Recommendation in the second half of January.”

“Cross-origin resource sharing provides a way for Web resources to give permission to relax this [SOP] restriction to allow for the creation of interesting mash-ups incorporating content from multiple sources,” said Brad Hill, co-chairman of the W3C Web Application Security Working Group. “A mash-up application can use CORS to work with public data, like apartment listings and maps, and also for data that requires some user-level authorization, like integrating a user's preferences or calendar into applications hosted by different companies.”

CORS has been in existence since 2005 and can be used with all major browsers. It defines a set of headers that allow the browser and server to communicate about which requests are (and are not) allowed.

“The kind of mash-up applications that CORS enables are very compelling and have been a part of the Web for a long time, but before CORS they were built using methods like server-side proxying or JSONP that weren't very secure,” Hill said.

“CORS lets developers build mash-ups using the familiar XMLHttpRequest API, without having to do proxying, without sharing credentials directly between sites, and it protects mash-up applications from the cross-site scripting risks inherent in JSONP.”

CORS is a standard mechanism allowing the browser and server to communicate requests. It can also request public resources with no access controls such as weather data, census information or similar data, which can be sent using an "Access-Control-Allow-Origin: *" header. Hill added that developers should read the security section carefully, but that CORS should “just work” in the normal way XMLHttpRequest is used.

“If you're currently exposing Web APIs using JSONP or building integrations by including cross-origin scripts, you really should consider migrating to CORS for a more secure experience,” Hill said.




Related Search Term(s): CORS, W3C


Share this link: http://sdt.bz/67525
 

close
NEXT ARTICLE
From the Editors: One HTML, under W3C
HTML5’s advancement is good, but it could be being handled better; some predictions for 2013 Read More...
 
 
 




News on Monday  more>>
Android Developer News  more>>
SharePoint Tech Report  more>>
Big Data TechReport  more>>

   
 
 

 


Download Current Issue
APRIL 2014 PDF ISSUE

Need Back Issues?
DOWNLOAD HERE

Want to subscribe?