In old days, the options for cross-domain requests are limited to techniques like JSON-P (which has limited use due to security concerns) or setting up a custom proxy (which can be a pain to set up and maintain).
Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser.
The first thing to note is that a valid CORS request *always* contains an Origin header. This Origin header is added by the browser, and can not be controlled by the user. HTTP Request:
POST /cors HTTP/1.1 Origin: http://api.bob.com Host: api.bob.com
Access-Control-Allow-Origin: http://api.bob.com Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: FooBar Content-Type: text/html; charset=utf-8
All CORS related headers are prefixed with "Access-Control-".
Access-Control-Allow-Origin (required). If you’d like any site to be able to access your data, using '*' is fine.
Access-Control-Allow-Credentials (optional) - By default, cookies are not included in CORS requests. Use this header to indicate that cookies should be included in CORS requests.
Access-Control-Expose-Headers (optional). By default, the getResponseHeader() method can only access simple response headers (Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma). If you want clients to be able to access other headers, you have to use the Access-Control-Expose-Headers header. The value of this header is a comma-delimited list of response headers you want to expose to the client.