CORS FAQ

Author: skirtle First posted: 14-Apr-2020 Last updated: 14-Apr-2020
CORS

I've written an FAQ for CORS (cross-origin resource sharing). It's at https://cors-errors.info/faq.

As well as the FAQ there are also pages listing the CORS error messages shown in Chrome and a CORS header checker.

Over the past couple of years I've seen a lot of CORS questions being posted on Stack Overflow. Often the posters have little or no awareness of CORS, they just know that their code doesn't work.

While Stack Overflow does have a lot of existing answers to CORS questions there are a few key problems with those answers:

  • Those in need of help often don't know what to search for.
  • Many of the answers don't reflect how CORS is implemented in the latest web browsers.
  • The most popular questions often have dozens of posted answers, many of which are misleading or not relevant. Some are just plain wrong despite being highly voted or accepted answers.
  • The answers are typically framed in terms of the specific circumstances outlined in the question.
  • There isn't a coherent narrative across different questions.

Of course there are already lots of other sources of information about CORS that are both accurate and consistently written. These tend to fall into one of two categories:

  • The specifications, which are comprehensively overwhelming for newcomers.
  • Beginners' guides, which are often quite good but necessarily limited in scope.

Rather than writing yet another guide I've instead gone with an FAQ. If you're new to CORS then I'd still recommend reading a proper guide to get a basic grasp of the subject. My FAQ then covers the most common problems and misunderstandings. Hopefully the Q&A format will make it easier to find relevant information on specific problems.

One thing that is notably absent from most of my answers is a specific explanation of how to fix a particular problem. In most cases that isn't an oversight, it just isn't something that can feasibly be included. While it is possible to include advice such as 'you need to return response header X', the details of how to do that depend on the server-side stack being used.

Further, there is no definitive way to 'enable CORS' for a particular server. Without a good understanding of CORS it isn't even possible to decide what the desired outcome should be, let alone how to achieve it. CORS is used to relax important security restrictions and more often than not it's configured by trial and error without any real appreciation of the risks it poses.

Ultimately, that is the fundamental problem. Most developers are in a hurry and don't really want to learn how CORS works. To many it seems like an artificial problem that has been forcibly imposed on them by overzealous security nerds who live in dark basements. It isn't. It's both important and necessary but that only becomes clear after you've done the reading required to understand it.

Hopefully my FAQ can help to make this particular topic a little more digestible.