CORS in Action: Creating and consuming cross-origin APIs Monsur Hossain Copyright For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: [email protected] ©2015 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. Manning Publications Co. Development editors: Cynthia Kane, Monique 20 Baldwin Road Bos PO Box 761 Technical development editor Deepak Vohra Shelter Island, NY 11964 Copyeditor: Jodie Allen Proofreader: Elizabeth Martin Technical proofreader: Konstantin Yakushev Typesetter: Dennis Dalinnik Cover designer: Marija Tudor ISBN: 9781617291821 Printed in the United States of America 1 2 3 4 5 6 7 8 9 10 – EBM – 19 18 17 16 15 14 1 2 3 4 5 6 7 8 9 10 – EBM – 19 18 17 16 15 14 Dedication For Haroun and Annisa Brief Table of Contents Copyright Brief Table of Contents Table of Contents Foreword Preface Acknowledgments About this Book Author Online About the Author About the Cover Illustration 1. Introducing CORS Chapter 1. The Core of CORS Chapter 2. Making CORS requests 2. CORS on the server Chapter 3. Handling CORS requests Chapter 4. Handling preflight requests Chapter 5. Cookies and response headers Chapter 6. Best practices 3. Debugging CORS requests Chapter 7. Debugging CORS requests Appendix A. CORS reference Appendix B. Configuring your environment Appendix C. What is CSRF? Appendix D. Other cross-origin techniques Index List of Figures List of Tables List of Listings Table of Contents Copyright Brief Table of Contents Table of Contents Foreword Preface Acknowledgments About this Book Author Online About the Author About the Cover Illustration 1. Introducing CORS Chapter 1. The Core of CORS 1.1. What is CORS? 1.2. CORS by example 1.2.1. Setting up the request 1.2.2. Sending the request 1.2.3. Processing the response 1.3. Benefits of CORS 1.3.1. Wider audience 1.3.2. Servers stay in charge 1.3.3. Flexibility 1.3.4. Easy for developers 1.3.5. Reduced maintenance overhead 1.4. Summary Chapter 2. Making CORS requests 2.1. What is a cross-origin request? 2.2. Browser support for CORS 2.3. Using the XMLHttpRequest object 2.3.1. Sending an HTTP request 2.3.2. Handling the HTTP response 2.3.3. Including cookies on cross-origin requests 2.4. XDomainRequest object in Internet Explorer 8 and 9 2.4.1. Differences between XDomainRequest and XMLHttpRequest 2.5. Canvas and cross-origin images 2.6. CORS requests from jQuery 2.7. Summary 2. CORS on the server Chapter 3. Handling CORS requests 3.1. Setting up the sample code 3.1.1. Setting up the sample API 3.1.2. Setting up the sample client 3.1.3. Running the sample app 3.2. Making a CORS request 3.3. Anatomy of a CORS request 3.3.1. The players in a CORS request 3.3.2. Lifecycle of a CORS request 3.4. Making a request with the Origin header 3.4.1. Viewing the Origin header 3.4.2. What is an origin? 3.4.3. Setting the Origin header 3.5. Responding to a CORS request 3.5.1. The Access-Control-Allow-Origin header 3.5.2. Access-Control-Allow-Origin with a wildcard (*) value 3.5.3. Access-Control-Allow-Origin with an origin value 3.5.4. Rejecting CORS requests 3.6. Summary Chapter 4. Handling preflight requests 4.1. What is a preflight request? 4.1.1. Lifecycle of a preflight request 4.1.2. Why does the preflight request exist? 4.2. Triggering a preflight request 4.2.1. When is a preflight request sent? 4.3. Identifying a preflight request 4.3.1. Origin header 4.3.2. HTTP OPTIONS method 4.3.3. Access-Control-Request-Method header 4.3.4. Putting it all together 4.4. Responding to a preflight request 4.4.1. Supporting HTTP methods with Access-Control-Allow- Methods 4.4.2. Supporting request headers with Access-Control-Allow- Headers 4.4.3. Sending the actual request 4.4.4. Rejecting a preflight request