All notes


In old days, the options for cross-domain requests are limited to techniques like JSON-P (which has limited use due to security concerns) or setting up a custom proxy (which can be a pain to set up and maintain).

Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser.


The first thing to note is that a valid CORS request *always* contains an Origin header. This Origin header is added by the browser, and can not be controlled by the user. HTTP Request:

POST /cors HTTP/1.1


HTTP Response:

Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: FooBar
Content-Type: text/html; charset=utf-8

All CORS related headers are prefixed with "Access-Control-".

Access-Control-Allow-Origin (required). If you’d like any site to be able to access your data, using '*' is fine.

Access-Control-Allow-Credentials (optional) - By default, cookies are not included in CORS requests. Use this header to indicate that cookies should be included in CORS requests.

Access-Control-Expose-Headers (optional). By default, the getResponseHeader() method can only access simple response headers (Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma). If you want clients to be able to access other headers, you have to use the Access-Control-Expose-Headers header. The value of this header is a comma-delimited list of response headers you want to expose to the client.

Chrome extensions

Chrome extensions can make cross-domain requests to any domain *if* the domain is included in the "permissions" section of the manifest.json file: "permissions": [ "http://*"] The server doesn't need to include any additional CORS headers or do any more work in order for the request to succeed.

If the domain is not in the manifest.json file, then the Chrome extension makes a standard CORS request.

The value of the Origin header is "chrome-extension://[CHROME EXTENSION ID]". This means requests from Chrome extensions are subject to the same CORS rules.