Relaxing the same origin policy
Cross origin resource sharing is how a server opts in to letting another origin read its responses. The same origin policy blocks reads by default, and the server uses response headers to grant specific exceptions. The browser enforces the result; the server only advertises what it permits.
- The browser adds an origin header to the request.
- The server replies with allow origin headers.
- The browser blocks the read if the headers do not permit it.
Simple versus preflighted
Simple requests go straight out, but requests with custom headers or methods like put first trigger a preflight. The preflight is an options request that asks the server whether the real request is allowed before sending it.
- A preflight uses the options method to ask permission.
- Allow methods and allow headers list what is permitted.
- Sending credentials needs allow credentials set true.
A failed cross origin read is a browser decision; the server may still have processed the request.
Key idea
Cross origin sharing lets a server grant read access through allow headers, with the browser preflighting non simple requests before sending them.