CORS

Cross-Origin Resource Sharing (CORS) Setup

Keeping websites secure and their users protected from the risks involved with sharing resources across multiple domain names the use of CORS is advisable. CORS allows resources to be loaded from domains other than the origin parent domain.

It’s a common practice nowadays for modern websites to load images, scripts, style sheets, etc. from other domains.

For security reasons, browsers restrict cross-origin HTTP requests initiated not from the same origin unless the response from other origins includes the right CORS headers.

Relaxation of the same-origin policy using CORS

The same-origin policy is restrictive and consequently, the CORS approach has been adopted to sidestep the restrictions.

The CORS uses a suite of HTTP headers that define trusted web origins and associated properties such as whether authenticated access is permitted. These are combined in a header exchange between a browser and the cross-origin website that it is trying to access.

Using this HTTP headers suit, CORS enables the browser to handle cross-domain content by either allowing or denying it depending on the configuration.

Read more about the Cross-Origin Resource Sharing (CORS) at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Universal CDN CORS Setup Guidance

1. Log in to the Universal CDN Control panel at my.ucdn.com.

2. Navigate to the My Zones tab located in the top left corner.

3. Click on the cogwheel icon next to your CDN zone.

4. Click on the CORS tab.

5. Select the preferred mode. There are three available modes:

Passthrough – If selected, UCDN will not append or change any CORS headers in the response. The response from the origin server will be respected, as it is.

Simple – If selected the following headers will be added by UCDN to every response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Advanced – If selected, you will have extended control of the CORS params via the UCDN control panel. The available params in Advanced mode are:

Allow origin: Select Custom list of origins to enter the allowed list of origins (one per line) or select regex and enter your Perl-compatible regular expressions (PCRE) syntax pattern. UCDN will set response header Access-Control-Allow-Origin if the Origin header in the request matches the provided regex or if it is in the specified list. If there is no match there will be no Access-Control headers appended to the response.

Allow Credentials: If checked, the value of the Access-Control-Allow-Credentials header will be set to true which will expose the response to the frontend scripting engine if the request’s credentials mode is included and if the origin header in the request matches with the allowed list.

Allow Methods: Select one or all of the following methods GET, HEAD, OPTIONS, POST. When an Access-Control-Request-Method header is in the request, the CDN will respond with the pre-selected methods.

Allow Headers: Enter the headers (one per line) that you want to be returned as the value of the Access-Control-Allow-Headers. The allowed CORS-safelisted response headers are Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma.

Max age: Sets Access-Control-Max-Age in seconds.

Expose Headers: Enter the headers (one per line) that you want to be returned as the value of the Access-Control-Expose-Headers. The Access-Control-Expose-Headers allow the server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. Only the CORS-safelisted response headers are exposed by default.