💡 CORS 💡

If you are much like me, you've probably dealt with the rather annoying CORS error. So in this thread, I'm going to try explain it as simply as I can and how you can get around it!

🧵 👇🏾
🚀 What is CORS 🚀

CORS stands for "Cross Origin Resource Sharing". It is essentially a mechanism that allows a website on one url to request data from a different url. It allows a resource to allow some cross-origin requests while rejecting others.
When a request fails with a CORS error it is because the browser implements what we call the "same origin policy" as a part of its security model. This policy enables an api or website to request data from its own url but block any request from an...
...external url unless there are certain conditions that are fulfilled. If a request comes from `randomsite. com/api` to `randomsite .com/api`, then it is of the same origin and implicity trusted.
🚀 How does CORS work? 🚀

CORS works through the inclusion of specific headers. Every time a browser makes a request, it adds an origin header to that request. If the request goes to a server on the same origin, the request is trusted and allowed by the browser.
If however, the request goes to a different url, then we have what we call a "cross-origin" request and this request will be blocked unless certain headers are present in the request. When the server sends a response, it will append the "access-control-allow-origin" header...
...to the response and its value must match the origin header on the request or it can be a wildcard which essentially allows any url to make a request. If there is a mismatch between the url on the origin header and the value of the "access-control-allow origin" header, the...
...browser will prevent the response data from being shared with the client and this will result in an error in the browser.
🚀 Types of CORS requests 🚀
1. Simple requests that use GET, POST, or HEAD verbs.
2. A Preflight request:

The inclusion of a preflight means that there are specific things that are allowed and others that are disallowed in the simple request. What a preflight request does...
...is send an HTTP request using the OPTIONS verb. It does this to figure out whether the request is safe and accepted or not. This is merely a sanity check to ensure the safety of the request.
🚀 How can I solve the CORS error? 🚀
The solution to your CORS headache lies on the server. If you do not control the server, there is not much you can do about the error. If you do control it however, you can easily configure the server to respond with the correct header.
In expressJS, you can use CORS middleware which essentially tells your server to include the CORS headers on every single response.

If you currently have a CORS issue, head to your chrome console and open the network tab. Search for your response and look for the...
..."access-control-allow-origin" header. If you cannot find it, this means you have to enable CORS on your server. If the header does exist, the url may be a mismatch with the server in which case you should "allow this origin" or "allow *" on your server. If the request was...
...preflighted and you still run into the CORS error, there is a possibility that the server may not be allowing those methods or headers in the request. All of these things can be configured on your server!
That's it for this short installment of CORS. If you feel I have missed anything or there is anything you would like to add, feel free to do so in the comments section 🚀 !
You can follow @dollarbillrico.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: