Eduardo Garcia bio photo


Eduardo Garcia

Knowmad by definition

Location: Australia

Twitter Facebook  QQ交谈 Google+ Github LinkedIn Feed

Nowdays is pretty common to transfer data between web applications via Web Services to clients that require information on different interfaces such as REST, XMLRPC, JSON, JSON-RPC, SOAP and others.

Almost all sites today are built using JavaScript, generating AJAX calls with XMLHttpRequest mechanism to get information from external sites. To enable this kind of comunication is necessary implement "cross-domain" requests would otherwise be forbidden by web browsers, per the same origin security policy.

Lets imagine the following scenery: we have a frontend application using the domain and this application wants to use data provided by a backend site located in domain For security this type of communication is blocked and the end user will be only able to get the information from, this scenario is exemplified in the following image.

To enable this kind of communication is requiered that your backed server (http// returns the specific HTTP Headers to enable CORS comunication. Below you can see an example of HTTP Header required.


The header Access-Control-Allow-Credentials is only used if your request require some kind of authentication. You can read more information about all HTTP Headers at Access Controls - CORS.


comments powered by Disqus