ELI5 what is cors?

Could anyone eli5 what cors is with some real examples, and when to use it?

What have you read about CORS already? What do and don’t you understand currently? I don’t know what you do or don’t know, so currently my response would be pasting your question into Google and copy-pasting the top results.

I have read about it and i kinda understand it.

An example of a cross-origin request: the front-end JavaScript code served from https://domain-a.com uses XMLHttpRequest to make a request for https://domain-b.com/data.json .

But if my backend and frontend have the same domain like domain.com, why would I need cors?

Then you’re fine. That’s not what it’s for: you can trust stuff being served on your website from your server because everything is in the same place (so to speak). The example with this would be if someone else wanted to use some resource that comes from your server on their website, then it’s a different domain.

Ok, do I need cors if I fetch data from domain-foo.com? Does it even matter if I use cors even if I don’t need it? @DanCouper

You don’t get to choose, that’s a core thing about it. It’s not about whether you need CORs or not: CORS is going to be there whatever. The owner of the server decides that. The main mechanism here is that when you make an HTTP request in the browser for some resource on a server somewhere (via fetch or XMLHTTPRequest), the response that comes back has a header that specifies if you’re allowed to have it. And if you aren’t, you just end up with a generic error that says there’s a CORS issue.

If you want some resource on your server to be used by other people, then in that case you set the header that specifies that’s what you want to happen

Is this correct: 100 people fetch weather data succesfully from an api with Access-Control-Allow-Origin: *, 100 people fetch data from an api, but the only succesful one is the website domain.com because Access-Control-Allow-Origin: http://www.domain.com? @DanCouper

Yep, that’s spot on. It is interesting that you use that example, because I was going to use weather data as an example as well.

FCC used to have a weather app as one of the front-end frameworks projects. It’s been moved to the interview prep section now due to it being very difficult/impossible to complete. That was because of CORS (if you search the forum for it, there will be a lot of threads on the subject).

So you don’t need to say Access-Control-Allow-Origin: * to give people access, you can also say “if you can provide me with a key, I’ll allow you access”. CORS has provisions to help make this relatively simple. And all the public weather APIs now require a key for the free tier. But, you don’t really want to have API keys public. So there were a few services people had built, proxy servers, and the way they work is they take a request from a user, forward it to the weather API, then send the response back to the user with the ``Access-Control-Allow-Originheader set to*`. Except those were using free tiers, and free tiers are pretty limited, so they got verrrrrry slow, and this isn’t getting into issues after mixing HTTP/HTTPS, or some things, and uggh. All got a bit much really, to the point where it wasn’t feasible to have it as a certification project (I’m sure I’m remembering correctly that it was)

Anyway, there’s a little bit more in the way of rules with CORS but much of it boils down “is that header set, and what is its value set to”. With a few exceptions (mainly for basic stuff, so you can actually see websites for example), the owner of a server needs to explicitly specify they want to share something

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.