cross origin and cors

The browser same origin policy is a security mechanism which restricts how a document loaded from one origin can interact with another origin

For us engineers it means if you need to make (certain) kinds of requests to a different origin then you need to be aware of the restrictions and how to work around.

See mdn docs here for explanation of what is and is not considered same origin.

Some cross origin requests are allowed such as 

  • embedding: images (img), stylesheets, scripts, fonts, iframe
  • links, redirects and form submissions


So what to do if you need to make cross origin requests which are restricted?

You need to use CORS (cross origin resource sharing). It is a http header mechanism which allows a server to configure origins (other than it's own) for which it allows requests.

If mydomain.com wants to make a http request to yourdomain.com then unless yourdomain.com configures CORS that request will fail.

Some http requests are considered "simple" e.g. Get and POST using limited header. These just need the target domain to allow cors requests. This can be done by the target server responding with header Access-Control-Allow-Origin: which can allow all "*" or select origins.

For non "simple" requests CORS will include a "preflight" check using http Options and special handshake.


note: CSRF can be used on the server to protect against access from disallowed actors.

"But calling the api on postman works, why not in the browser?" - yes that's because postman does not have the restrictions a browser has.

How do I handle in my web app?

  • say you have an app which needs to make http fetch request to a non origin and the non origin urls are different in qa and production
  • the app needs to proxy the api calls when running locally e.g. to the QA endpoints (webpack dev server allows you to setup proxies)
  • tje app needs to detect the environment (qa vs production) and target the appropriate non origin domain for qa or production
  • the non origin target server needs to allow cors requests (either allow all or from this origin)




Comments

Post a Comment

Popular posts from this blog

deep dive into Material UI TextField built by mui

Image
The Material Design system is a design system used to create consistent digital experiences across platforms such as android, web and ios. Includes: a color system a typography system a shape system a grid system it addresses motion and lots more Also includes Material Theming which makes it easy to customize Material Design to match your brand. Material Design is not just a set of guidelines it is a whole ecosystem. Material itself stopped maintaining it's react implementation and recommends opensource versions.  A very popular open source implementation is  MUI ,  a react component library  built to implement Material Design . Bills itself as the "worlds most popular React UI framework" and at this time has 1.2M weekly downloads on npm and used by over 750k projects on github (did I mention it's very popular?).  Note: there are other react component libraries implementing bootstrap and ant design for example, so up to you and your design team on what you choose. 
Read more

angular js protractor e2e cheatsheet

Many from the protractor test suite category detailed task syntax example load page load a page browser.get('yoururl') browser btn actions browser back/forward browser.navigate().back() OR browser.navigate().forward() access elements on page See Protractor API list and examples from Protractors test suite access by angular ngmodel name (must match ngmodel in the html) this is the preferred approach element(by.model('person.name')); access by the css id on the page e.g, #user_name (but this can be brittle) element(by.id('user_name')) access angular binding to get generated value i.e. for {{}} element(by.binding('person.concatName')); access angular repeat list data (must match repeat stmt in the html) See Protractor test suit l
Read more

react-router v6.4+ loaders, actions, forms and more

react-router  react-router is used for in app single page app navigation, we configure routes for pages in the app to map to components react-router has over 1bn downloads, its an industry standard (but there are others e.g. Nextjs router) many apps use react-router, many on v5.x the new react-router 6.4.x the newest major version of react router v6.4 is a significant enhancement which adds a lot of new features. react-router v6.4 offers new features to load data (loaders) and handle actions (actions).  It's done gone all Remix-y which makes sense because the same guys wrote both. eliminates a lot of boilerplate code to fetch data in useEffect() and set various loading states put your data load and update logic in react-route components instead of custom code unlike Remix, react-router v6.4 is still just all on the client (not server like Remix) paradigm shifts Lets start with a couple of high level ideas; "back to the future" so to speak OR "what's old is new ag
Read more