Cross-Origin Resource Sharing

Question 1

True or False

Many web apps don’t connect to each other and are independent from each other’s resources/services.

Answer 1

False

Many web apps connect to each other and rely on each other’s resources/services.

Question 2

Restricts how a document/script from one origin can interact with a resource from another origin.

Answer 2

Same-Origin Policy

Question 3

2 web pages have the same origin if they have the same:

Answer 3

1. Protocol
2. Host/Domain
3. Port

Question 4

A page attempting to interact with a resource from a different origin is making a ___________

Answer 4

Cross-Origin Request

Question 5

Is this a Cross-Origin Request?

http://myapp.com -> https://myapp.com

Answer 5

Yes, because http is different from https.

Question 6

• This restriction is done by the browser, not by the website itself.
• Browsers restrict cross-origin HTTP requests initiated within scripts.

Answer 6

Same-Origin Policy

Question 7

Exceptions

Answer 7

• Embedded requests (<img src=”...” /><link href=”...” />)
• Cross-Origin writes (submitting data to a different origin)

Example:
<img src="https://bit.ly/2EZkilW" />

<link
rel="stylesheet"
href="https://stackpath.bootstrapcdn.com
/bootstrap/4.1.0/css/bootstrap.min.css"
>

Question 8

Why restrict cross-origin access?

Answer 8

Cross-origin requests are a vector for online attacks. They are a way to steal cookies, and can give an attacker access to a user’s sensitive information if they are not careful.
So they are blocked by default.

Question 9

______________ is a system that allows resources to be accessed across different origins.

Answer 9

Cross-Origin Resource Sharing (CORS)

Question 10

True or False

The Access-Control-* headers are used by clients and servers to determine if the client can access the server’s resources.

Answer 10

True

Question 11

Access-Control-Allow-Origin

Answer 11

Specifies which origins are allowed access

Question 12

Access-Control-Allow-Credentials

Answer 12

Indicates if sending credentials are allowed

Question 13

Access-Control-Allow-Methods

Answer 13

Indicates which HTTP methods are allowed to be used for incoming requests

Question 14

Access-Control-Allow-Headers

Answer 14

Indicates which headers are allowed to be used for incoming requests

Question 15

Some cross-origin requests trigger a ______________

Answer 15

preflight request

Question 16

• ______________ are automatically issued by the browser before sending some kinds of cross-origin requests.
• It is a ‘preflight’ check to see if the actual request will be accepted and processed.

Answer 16

Preflight requests

Question 17

All preflight requests are OPTIONS HTTP requests with 3 particular headers

Answer 17

1. Access-Control-Request-Method
2. Access-Control-Request-Headers
3. Origin

Question 18

Before the browser sends the actual POST request, it sends an ________ request, to ask if the POST request will be allowed.

Answer 18

OPTIONS

Question 19

True or False

In general, requests that will cause some sort of change in the server’s data trigger a tralalero tralala.

Answer 19

False

In general, requests that will cause some sort of change in the server’s data trigger a preflight request.

Question 20

True or False

“Simple” requests don’t trigger a preflight and only look for the Access-Control-Allow-Origin header in the response.

Answer 20

True