13 - Cross-Origin Resource Sharing

Question 1

restricts how a document/script from one origin can interact with a resource from another origin

Answer 1

Same-Origin Policy

Question 2

two web pages have the same origin if they have the same (3)

Answer 2

1. protocol
2. host/domain
3. port

Question 3

a page attempting to interact with a resource from a different origin is making a ____

Answer 3

Cross-Origin Request

Question 4

Determine if the following requests are cross-origin requests:

a. http://localhost:3001 => http://localhost:3000

b. http://myapp.com => https://myapp.com

c. http://myapp.com => http://myapp.com/about

d. https://myapp.com => https://blog.myapp.com

e. http://myapp.com => http://myapp.com:81

Answer 4

a. Cross-Origin
b. Cross-Origin
c. Same Origin
d. Cross-Origin
e. Cross-Origin

Question 5

true/false

the website/web server restricts cross-origin HTTP requests

Answer 5

false, it is the browser that restricts such requests

Question 6

what are the exceptions to cross-origin requests (4)

Answer 6

1. embedded requests
2. cross-origin writes
3. images
4. linked stylesheets

Question 7

why restrict cross-origin access?

Answer 7

cross-origin requests are a vector for online attacks, they are a way to steak cookies and can give an attacker access to a user’s sensitive information

Question 8

what do we do if we really need to access resources from another origin?

Answer 8

use cross-origin resource sharing

Question 9

a system that allows resources to be accessed across different origins

Answer 9

Cross-Origin Resource Sharing (CORS)

Question 10

are used by clients and servers to determine if the client can access the server’s resources

Answer 10

access-control headers

Question 11

what access-control header specifies which origins are allowed access

Answer 11

access-control-allow-origin

Question 12

what access-control header indicates if sending credentials are allowed

Answer 12

access-control-allow-credentials

Question 13

what access-control header indicates which http methods are allowed to be used for incoming requests

Answer 13

access-control-allow-methods

Question 14

what access-control header indicates which headers are allowed to be used for incoming requests

Answer 14

access-control-allow-headers

Question 15

some cross-origin requests trigger a ____

Answer 15

preflight request

Question 16

automatically issued by the browser before sending some kinds of cross-origin requests

Answer 16

preflight requests

Question 17

it is a ‘preflight’ check to see if the actual request will be accepted and processed

Answer 17

preflight requests

Question 18

all preflight requests are ____ requests with particular headers

Answer 18

OPTIONS HTTP

Question 19

what are the 3 particular headers of preflight requests

Answer 19

1. Access-Control-Request-Method
2. Access-Control-Request-Headers
3. origin

Question 20

before the browser sends the actual request, it sends a/an ___ request to ask if the actual request will be allowed

Answer 20

OPTIONS

Question 21

true/false

requests that will cause some sort of change in the server’s data will only trigger a preflight request if specified in the header

Answer 21

false, any request that will cause change in the server’s data will trigger a preflight request

Question 22

___ requests don’t trigger a preflight and only look for the ____ header in the response

Answer 22

Simple, Access-Control-Allow-Origin