How to set up server for Cross-Origin Resource Sharing (CORS)?

Question

I have a web-page on my domain (ecmazing.com), and I'd like to be able to send AJAX requests to this URL:

http://hacheck.tel.fer.hr/xml.pl

It's a Perl script that is located on a different domain (and it returns an XML response).

The "Same origin policy" doesn't allow for Ajax communication from a web-page on my domain.

Now, I've heard about CORS, and I think that it could solve my issue. If I understand correctly, the admin of the hacheck.tel.fer.hr domain would have to configure the web-server so that Ajax requests from my domain (ecmazing.com) would be permitted.

Could you tell my what actions specifically the admin would have to perform? I'm going to contact him so I'd like to be able to give him the specifics...

CORS spec is here: http://www.w3.org/TR/cors/

Info about CORS is here: http://www.w3.org/wiki/CORS_Enabled

score 4 · Answer 1 · edited Jun 02 '11 at 18:39

4

According to the link you sent it's enabled by defualt and only needs a .htaccess file change presuming it's apache:

To expose the header, you can add the following line inside <Directory>, <Location>, and <Files> sections, or within an .htaccess file.

 <IfModule mod_headers.c>
   Header set Access-Control-Allow-Origin "*"
 </IfModule>

I can say that as an admin you had better be well prepared to justify why this can't be done in code rather than on the server and why I should allow you to do this.

edited Jun 02 '11 at 18:39

Šime Vidas

193
2
10

answered Jun 02 '11 at 18:25

Jim B

23,938
4
35
58

@Jim The domain that hosts the Perl script is owned by my college. I'm doing a proposal for a web-page (service) as my thesis, so I expect full support from my college. In order to demonstrate my proposal online, I need to be able to communicate with that Perl script. I currently see two solutions: (1) CORS, (2) host my proposal on the domain of the Perl script (but in that case I'd have to have a FTP account so that I can update my page at any time), and I'm not sure if my college can set up such a FTP account for me... – Šime Vidas Jun 02 '11 at 18:51
@Sime (apologies I cannot determine how to enter the diacritic char. of your name) I understand you expect support, however if you wrote a paper on bank robberies would you expect the college to help you rob one? Client side scripts are blocked from this behavior for a whole host of reasons. Even Ben's jsonp suggestion has an effort to close that loophole. As an admin, telling me I have to render all sites vulnerable to this sort of issue to support your effort wouldn't get much traction. In my opinion you would get better results and more support by asking for the FTP account. – Jim B Jun 03 '11 at 12:33
@Jim Using CORS does not implicitly enable *all* scripts on the internet to access your server files. You (on the server-side) can use CORS to specify which domains get access. In my particular case, I'd like scripts from my domain (`ecmazing.com`) to be able to access files (via Ajax) from the domain `hacheck.tel.fer.hr` (which is, note, not the main domain of my college, but a sub-sub-domain of it). Since this domain only hosts the server-side code for the Hacheck application (and no other sensitive data), I believe the admin of that domain should be able to grant me access (temporarily)... – Šime Vidas Jun 03 '11 at 12:54
@sime according to the docs it looks like you have to allow all sites, in the security doc (http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity) is specificlly mentions that security is in the hands of the developers - not the admins. If the HAcheck application isn't critical or sensitive and it's the only site on the server then certainly I'd be more open to modifying htaccess. – Jim B Jun 03 '11 at 13:09
@Jim No, there is the `Access-Control-Allow-Origin` HTTP response header which controls which domains have access. Only if you set the value of this header to `*` (wildcard), only then will all scripts on the Internet have access to your pages. More info is in the page you linked under "Universal allow" onwards. – Šime Vidas Jun 03 '11 at 13:46
@sime yes I agree the *server* setting seems to only take the wildcard. I can't find an example where it takes a domain value, the page settings are certainly otherwise. For experimenting I'd start with * and get more specific if that works. Either way I'm letting a foreign domain acces files which (again as an admin) I *might* allow given the right circumstances. – Jim B Jun 03 '11 at 14:13
@Jim Hm, I've no experience with servers, but my logic tells me that the server admin should be able to set that header to any value; I don't see a reason why the value would be restricted to `*`. It's a custom header anyway, so the admin should have full control over it (when defining its name or value). As for the example, it is [here](http://www.andlabs.org/html5/acCOR.php). Click on the link below the header "Demo" and an Ajax request will be made. The HTTP request has an "Origin" header, and the response has the "Access-Control-..." header. [Screenshot.](http://i.imgur.com/p9W5J.png) – Šime Vidas Jun 03 '11 at 14:33
@Sime - right the demo is with a PHP header - in code not serverside I looked at the mozilla site and as many others I can find an don't see any server side config examples that specify a site. That doesn't mean it won't take it, it just means you'll have to try it. I'm just thankful the the real world forbids this stuff by default :) – Jim B Jun 03 '11 at 15:20
@Jim Sorry, I don't understand. Forbids what by default? – Šime Vidas Jun 03 '11 at 18:49

score 1 · Answer 2 · answered Nov 06 '12 at 09:02

1

We're maintaining enable-cors.org for answering this kind of questions. If you want to share new recipes for configurations, pelase raise an issue.

answered Nov 06 '12 at 09:02

Michael Hausenblas

266
2
4

score 0 · Answer 3 · answered Jun 02 '11 at 17:33

0

You might want to consider Cross-Domain JSONP. From the Wiki: "'JSON with padding' is a complement to the base JSON data format, a pattern of usage that allows a page to request data from a server in a different domain. As a solution to this problem, JSONP is an alternative to a more recent method called Cross-Origin Resource Sharing."

I've started using this for several remote API's without any issues, it's great :)

answered Jun 02 '11 at 17:33

ben lemasurier

758
6
21

I would love to use JSONP. However, the Perl script returns an XML response, and I am the client-side programmer (the Perl script is on the server-side). I don't think that I would be able to persuade the server-side programmer to rewrite the Perl script.... – Šime Vidas Jun 02 '11 at 17:50

How to set up server for Cross-Origin Resource Sharing (CORS)?

3 Answers3