Why do we need CORS?
Such attacks appear to the attacked service as legitimate traffic since they originate from a normal computer browser – complete with the cookies you have set. By preventing access to resources not hosted on the origin, and hence preventing AJAX from reaching another host, the browser is protecting you from this kind of attack.
What is CORS?
CORS bridges the gap between security and flexibility by allowing a host to specify which resources are available from non-origin domains. This allows you to make REST APIs available for access from other domains in the browser, but not your login page.
Adding CORS support is as simple as adding an extra HTTP response header that specifies what origins can access a given resource. To allow any domain to access a resource, you would include the following HTTP header in responses to requests for that resource:
Or, to only allow access from Flurry’s website domain you would use the following:
Note that since the CORS header is in the response of the HTTP request, the request has already been made before your browser evaluates whether to allow access to the result. It’s important to keep that in mind since even if the browser detects a CORS violation, the request will have already been processed on your servers.
Not all browsers support CORS right now but most modern browsers do. You can read more on the CORS Wikipedia page.