Profile picture
, 20 tweets, 9 min read
My Authors
Read all threads
Having problems with #CORS (Cross Origin Resource Sharing) almost every time ?
Wondering why you mostly always run into a blocked request ?

Remember that it's all about 3 rules that aren't mutually exclusive.

I'll be writing about them in 10 mins time (don't miss it)

#Thread
What is CORS ?

Simply defined as a access control security restriction that is used to limit cross-domain communication based on the origin of a web site or app.

The key word here is Access Control - which is about authorization of http requests

#Thread \1
Another key word is Origin: the origin is based off a combination of 2 things

1. A Scheme /Protocol( http / https )
2. A Host/Sub+Top Level Domain ( google.com )

Ok ? Cool!

Now you ask

How does this CORS thing actually work ?

#Thread \2
When a site makes a request to another site

e.g. accounts.google.com ---> makes request to ----> mail.google.com. How is that request handled ?

Well the first question to ask: is this a cross domain request or not ?

Yes... It's a cross domain request

#Thread \3
How ? Well, in as much as the Scheme/Protocol is the same ( https ), the Host isn't exactly the same

1. accounts.google.com
2. mail.google.com

"accounts" and "mail" are not the same

But just because it's cross domain doesn't mean it will be CORS worthy

#Thread \4
CORS worthy means that the restrictions will be triggered based on the origin of the web request which also means that the request has the potential to be blocked.

If you don't pick up any other thing from this #Thread, Just remember that:

#Thread \5
NOT ALL CROSS DOMAIN REQUESTS AUTOMATICALLY TRIGGER RESTRICTIONS

Why ? Because being a cross domain is not enough to trigger restrictions

There are as i said earlier 3 rules which you must keep in mind.

#Thread \6
Any time at least one of this rules is broken, then you can be certain that the restrictions can be triggered or there can be the possibility of a blocked request

RULE 1:

The request is not a GET, HEAD or POST

Simple and straight-forward huh ? Yeah!!

#Thread \7
So, when the request is cross domain based on the origin and the request method is not GET, HEAD or POST. then know that the CORS restriction may likely be triggered.

When CORS is triggered, an OPTIONS (pre-flight) request is fired first before the main request.

#Thread \8
The pre-flight request starts off a chain of exchanges (http headers: request & response ) between the browser and the server.

Access-Control-Request-* request headers
Access-Control-Allow-* response headers

We'll talk more about these exchanges in detail later on.

#Thread \9
RULE 2:

If the request method is not GET or HEAD and includes a
"Content-Type" request header. The Content-Type header value is not any of these 3 values

1. text/plain
2. application/x-www-form-urlencoded
3. multipart/form-data
So what this means in a nutshell is that if you use a HTML Form ( #enctype equalling of any of the 3 mime types above) to make a cross domain request, you will NEVER trigger a restriction or a potential request block

#Thread \11
Also, Since Content-Type for graphql requests is either

1. application/json
2. application/graphql

As opposed to

1. application/x-www-form-urlencoded
2. multipart/form-data
3. text/plain

#Thread \12
This clearly means that graphql requests will ALWAYS trigger a restriction or potential request block too (a.k.a OPTIONS requests will be made before the main http request)

RULE 3:

Special/Custom request header(s) like "Authorization" or "X-Requested-WIth" is set

#Thread \13
If you have an "Authorization" request header set in your request and the request method is POST and the request is cross domain request and "Content-Type" is "multipart/form-data", it will still trigger a CORS restriction.

It means that all 3 rules MUST be obeyed!

#Thread \14
If you do find yourself in a situation where a CORS restriction is triggered and you get that "annoying" error in the browser console. There are a few things to do on both the browser and the server

#Thread \15
The first thing is to start off on the server and setup which Origin(s) you wish to allow if you have control over the server OR find out which Origin(s) are allowed if you don't have control over the server

Then, setup the right Access-Control HTTP request headers

#Thread \16
Firstly, the browser always sets up Origin request header which will be used to identify the requester. if the server is setup for CORS, the server responds with a Access-Control-Allow-Origin response header. No OPTIONS request is triggered and everything works

#Thread \17
If you have custom HTTP request headers set, then you may need to inform the server to "allow" them

For example:

http-request-from-browser:
Access-Control-Request-Headers: Authorization

http-response-from-server:
Access-Control-Allow-Headers: Authorization

#Thread \18
@threadreaderapp unroll
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Okechukwu Ifeora

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#CORS #Thread #enctype

More from @isocroft see all

Profile picture
Okechukwu Ifeora
@isocroft
I know you have heard of password #Salts which are similar to Nonces and used to add uniqueness to passwords and protect against pre-computed hashes (rainbow tables).

Did you also know about password #Peppers ? They are equally important too.
In modern web applications of today, you should #Pepper your passwords as well as #Salt them too before hashing them. Here is the order:

Original Password ---> Salt ---> Pepper ---> Hash ---> Store-In-DB.

However, if you #Pepper passwords wrongly. It could be very disastrous!
What do i mean by this ?

Well, the simplest (and safest - very important) way to #Pepper a password is to HMAC(Original_Password, key) it.

HMACs are resistant to length-extension attacks & brutes-force attacks.

There must be a #Pepper key used for the HMAC too
Read 16 tweets
Profile picture
Okechukwu Ifeora
@isocroft
Finally, when you are building a #PWA & setting up a service worker, this is how i feel your fetch event handler should be to handle a myriad of edge cases:

Part 1:
This part shows a CACHE FIRST LOOKUP. Also notice when the app is offline. Setup fetch to work with the HTTP cache
Part 2:
This part show a NETWORK NEXT LOOKUP. We detect errors with the fetch request first and return early. Then detect server-sent events and return too. Then split the by content type: html,css,js,svg responses gets put in the cache and json responses gets put in IndexedDB.
Notice this area: it helps us handle cache eviction gotchas that might hit us when developing a PWA

Don't worry the navigator object is very well accessible inside both Web Workers & Service Workers.

Notice how persist the cache after updating with `cache.put()`
Read 6 tweets
Profile picture
Okechukwu Ifeora
@isocroft
So, my thread on how to choose databases for your web apps starts in 20 minutes time. Hope y'all are ready ?However, this time i would love it to be an interactive session where we can learn from each other about database preferences for specific web apps and the use case
#thread
This is what we want to talk about today. Take a really good look at the image below. Study it well. Also notice the words at the 3 vertexes of the triangle. CONSISTENCY, AVAILABILITY & PARTITION-TOLERANCE (Big English - but fear not, we shall demystify all and it'll all be easy)
If we also look at the image in the previous tweet on this thread we can see some popular databases placed at certain sides of the triangle. It is important to note also the positioning of some of a particular point on each side. We shall discuss this in more detail soon. #thread
Read 48 tweets

Related threads

Profile picture
Nathan Waddell
@drnjwaddell
I'm striking as part of the #UCUstrikes. I'm doing this for personal and professional reasons, though the two are interrelated. I enjoy my job, broadly speaking, and don't want to withdraw my labour, but the integrity of a profession is at stake, and colleagues are suffering. [1/
10 years ago, when I started out, UK HE was already a place where you had to work way, *way* beyond your contracted hours just to keep up with day-to-day business: e.g. emails, meetings, teaching & related teaching admin, plus research. [2/
Ten years later, I wouldn't be able to do *the minimum* for my job without working massively overtime: at weekends, in evenings & early mornings. I used (wrongly) to think this was a badge of honour. It's not, and I was a fool. It's damaging, for me and for others. [3/
Read 21 tweets
Profile picture
Ryan Hurst
@rmhrisk
So for web-based PKI applications to properly validate chains they need the ability to fetch crypto evidence such as CRLs, OCSP responses, and sometimes intermediate certs.
This is problematic because the browser enforces the same-origin policy (as it should) which means a web application can not fetch these bits of evidence. The browser provides a mechanism to bypass this limitation, it is called Cross-Origin Resource Sharing (CORS).
The thing is virtually no certificate/CRL repositories or OCSP responders set the CORS policies in such a way to allow web applications to request these resources.
Read 8 tweets
Profile picture
CtrlSec
@CtrlSec
📊#Time for monthly #stats

Good news! #ISIS activity on @Twitter decreased again in June: 7 195 new 🎯That's 12% less compared to May.
Again, 88% of these accounts were hacked: old, inactive, weakly protected.
They could easily be frozen in bulk. 😐

Thanks everyone!
#opiceisis
📊Time for monthly #stats

In average, we found 240 new #ISIS accounts per day in #June2019 (May: 263). Always the same guys, coming back again and again, spreading mostly the same propaganda month after month.
A bunch of losers...

#opiceisis
📊Time for monthly #stats

Less good news now. With 6 903 suspensions for 7 195🎯, the outcome (96%) slightly dropped again, by 1%.
@TwitterSupport provided a lower service this month for #ISIS accounts removals, both in terms of quantity...

#opiceisis
Read 6 tweets
Profile picture
OluSamuelToday
@OlusamuelToday
#Remember
In Deuteronomy 8, Moses gave a very powerful speech. It was actually a Message. Moses told the children of Israel, and us by extension, in verse 2 to 'remember all the way which the Lord thy God led thee'. #Remember
The greatest crime anyone of us will commit is to forget. We must #Remember all the way we were brought through because if we don't, we will misbehave and if we misbehave, we will suffer the consequences.
Read 17 tweets
Profile picture
Cyrus Toulabi
@CyrusToulabi
#BREAKING: Maria Butina PLEADS GUILTY to acting as an agent of the Kremlin — agreeing to cooperate w/ Federal Prosecutors.

The "Russian gun-rights activist" is the first Russian national convicted for conspiring to influence U.S. Policy.

She infiltrated the NRA and GOP in 2016.
#RELATED: Russia, Dark Money, the NRA, and the 2016 election.

Thankfully, the Senate just overturned the Trump administration rule change that would've allowed orgs like the NRA to keep donors secret...

...a rule changed the same day Butina was charged.
#RELATED: The wife of a former NRA president offered Maria Butina 1 million dollars to secure tons of Russian jet fuel for an American middleman. The scheme would've violated sanctions.

Clearly, those around the NRA knew Butina wasn't just an "activist."
Read 5 tweets
Profile picture
Ian Danskin
@InnuendoStudios
Having finished The Authoritarians, it's time to start a new thread of #IanLivetweetsHisResearch. Today I am finally getting past the introduction of How Propaganda Works by Jason Stanley.
Having slogged through some proper academic writing in my day, Stanley's writing is blessedly accessible. But after Altemeyer's light tone and constant dad jokes, Stanley's reads as pretty dry.
So far the introduction is full of a lot of quotations about the nature of democracy, from Victor Klemperer to Elizabeth Anderson to Plato. OF COURSE Plato.
Read 409 tweets

Trending hashtags

#debatenight #TrumpB #tngop #VoterFraud #LiveMyLifeInColour #KIDS4TRUMP #futureofwork #ReadTheMuellerReport #TweetTheMuellerReport #voted #nohillary2016 #Taekook #HARASS #SHILL #CHILDREN #RussellCapone #sharing #RUN #clock #NewYorkValues #time #gigeconomy #socialdialogue #Vaccines #capitalist
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!