CORS (Cross-Origin Resource Sharing) is a mechanism that allows browsers to request and receive resources from different origins (domains, schemes, or ports) from the current one.

CORS works by adding HTTP headers that indicate which origins are allowed to access the resource, and under what conditions.

Access-Control-Allow-Origin Header

One of the most important CORS headers is Access-Control-Allow-Origin, which specifies the origin or origins that can access the resource. The origin is the combination of the domain, scheme, and port number of the requesting site – for example, https://example.com:443.

To use this header, you need to set it on the server that hosts the resource, not on the client that requests it. The value of this header can be either a specific origin, a wildcard (*), or null.

For example:

  • Access-Control-Allow-Origin: https://example.com means that only requests from https://example.com can access the resource.
  • Access-Control-Allow-Origin: * means that requests from any origin can access the resource. This is only valid for requests without credentials (such as cookies or HTTP authentication).
  • Access-Control-Allow-Origin: null means that requests from the origin null can access the resource. This is not recommended as an attacker can use various tricks to generate a cross-origin request containing the value null in the origin header, allowing access to malicious documents.

Cross-Origin-Resource-Policy Header

Another CORS header that can affect cross-origin requests is Cross-Origin-Resource-Policy, which specifies how the resource can be shared with other origins.

The value of this header can be either same-origin, same-site, cross-origin, or null.

For example:

  • Cross-Origin-Resource-Policy: same-origin means that the resource can only be accessed by requests from the same origin as the resource.
  • Cross-Origin-Resource-Policy: same-site means that the resource can only be accessed by requests from the same site as the resource. A site is defined by the scheme and the registrable domain. For example, https://example.com and https://sub.example.com are considered to be in the same site.
  • Cross-Origin-Resource-Policy: cross-origin means that the resource can be accessed by requests from any origin, as long as they have a valid CORS request header. This is similar to setting Access-Control-Allow-Origin: *, but it also allows requests with credentials (such as cookies or HTTP authentication).
  • Cross-Origin-Resource-Policy: null means that the resource can be accessed by requests from any origin, without any CORS checks. This is not recommended as it can expose sensitive data to malicious sites.

You can quickly add or manage CORS settings for your web application on RunCloud by setting the relevant header in LiteSpeed config or Nginx config.