background preloader

Using CORS

Using CORS
Introduction APIs are the threads that let you stitch together a rich web experience. But this experience has a hard time translating to the browser, where the options for cross-domain requests are limited to techniques like JSON-P (which has limited use due to security concerns) or setting up a custom proxy (which can be a pain to set up and maintain). Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser. By building on top of the XMLHttpRequest object, CORS allows developers to work with the same idioms as same-domain requests. The use-case for CORS is simple. As you can see from this example, CORS support requires coordination between both the server and client. Making a CORS Request This section shows how to make a cross-domain request in JavaScript. Creating the XMLHttpRequest object CORS is supported in the following browsers: Chrome, Firefox, Opera and Safari all use the XMLHttpRequest2 object. Event handlers withCredentials Resources

AngularJS, Jersey, JSP and Java EE 6 » Imifos' Lucubratory The “topro” project (short for “topic proposer”, sorry I wasn’t very inspired on this) is a test that I made to play around with AngularJS. In the opposite to a lot of AngularJS examples on the net, the project implements the entire chain: AngualarJS on the browser side, REST to communicate with the application server, JAX-RS/Jersey as server-side REST implementation, JSP as templating system of the server-side front-end, Java EE 6 for server-side back-end. The project demonstrates many different things, some of them enumerated hereunder. The choice of using JSP technology for templating may seem strange at first sight. Concerning JSP, one has to admit that, despite of its age, it’s a great and proven technology. For simplification, the project doesn’t use a database. The complete source code can be found here: Some things discussed in this project: See web.xml and eu.lucubratory.topro1.front.res.page.MainPageResource

HTTP access control (CORS) - HTTP A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which the first resource itself serves. For example, an HTML page served from makes an <img> src request for Many pages on the web today load resources like CSS stylesheets, images and scripts from separate domains. For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and Fetch follow the same-origin policy. So, a web application using XMLHttpRequest or Fetch could only make HTTP requests to its own domain. The Cross-Origin Resource Sharing (CORS) mechanism gives web servers cross-domain access controls, which enable secure cross-domain data transfers. This article is for web administrators, server developers, and front-end developers. This cross-origin sharing standard is used to enable cross-site HTTP requests for: Overview Simple requests Origin See also

janl/mustache.js Cross-Origin Resource Sharing Abstract This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on resources, a resource on can opt in using the mechanism described by this specification (e.g., specifying Access-Control-Allow-Origin: as response header), which would allow that resource to be fetched cross-origin from Status of this Document This section describes the status of this document at the time of its publication. This document has been reviewed by W3C Members, by software developers, and by other W3C groups and interested parties, and is endorsed by the Director as a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-webappsec@w3.org (subscribe, archives). Table of Contents 1 Introduction 2 Conformance The .

NodeCellar: Sample Application with Backbone.js, Twitter Bootstrap, Node.js, Express, and MongoDB In my previous post, I shared my recent experience building a RESTful API with Node.js, MongoDB, and Express. In this post, I’m sharing the client application that uses that RESTful API. The Node Cellar application allows you to manage (retrieve, create, update, delete) the wines in a wine cellar database. The client application is built with Backbone.js and Twitter Bootstrap. Run the Application You can run the application here. NOTE: Node.js is running on port 3000 on my EC2 Instance. Server-Side The details of the Node.js, MongoDB, and Express implementation are documented in my previous post. Client-Side In this application, Node.js is used to provide the RESTful services that the client application needs to manipulate the data. This is a Node.js and MongoDB powered version of an application I initially posted here with PHP and Java backends. Source Code The source code is available in this repository on GitHub.

Cross-Domain Requests with CORS Cross-Origin Resource Sharing (CORS) is a powerful technology for static web apps. To understand what it is and why it's important, you first need to understand a bit about how browsers work. The Same-Origin Policy The Same-Origin Policy restricts the browser from performing certain actions by scripts or documents based on the origin. A parent document can't access the contents of an <iframe> that comes from a different origin. The Same-Origin Policy is a vital piece of web security architecture, but it also poses a problem. Enter Cross-Origin Resource Sharing CORS allows you to more cleanly separate your front-end from your back-end. If you are building an application using a third-party data provider or an API that already supports CORS, there isn't much else you need to know! Implementing CORS CORS is a group of special response headers sent from the server that tell a browser whether or not to allow the request to go through. Access-Control-Allow-Origin:

RESTful services with jQuery and Java using JAX-RS and Jersey NOTE: This is the Java version of this article and its companion app. A PHP version is available here. This is a more in depth version of my previous post on the same topic. The previous article only covered the HTTP GET method for building RESTful services. GET to retrieve and search dataPOST to add dataPUT to update dataDELETE to delete data The application used as an example for this article is a Wine Cellar app. You can run the application here. Implementing the API using JAX-RS JAX-RS makes it easy to implement this API in Java. Quick look at the JAX-RS annotations used in this class: @GET, @POST, @PUT, @DELETE: HTTP method the class method responds to. The jQuery client below sends data to the server using JSON (addWine() and updateWine() methods). The approach you use to actually retrieve the data is totally up to you. Testing the API using cURL If you want to test your API before using it in a client application, you can invoke your REST services straight from a browser address bar.

CORS Enabled - W3C Wiki What is CORS about? CORS is a specification that enables truly open access across domain boundaries. Why is CORS important? Currently, client-side scripts (e.g., JavaScript) are prevented from accessing much of the Web of Linked Data due to "same origin" restrictions implemented in all major Web browsers. While enabling such access is important for all data, it is especially important for Linked Open Data and related services; without this, our data simply is not open to all clients. If you have public data which doesn't use require cookie or session based authentication to see, then please consider opening it up for universal JavaScript/browser access. For CORS access to anything other than simple, non auth protected resources please see this full write up on Cross Origin Request Security. How can I participate? Granting JavaScript clients basic access to your resources simply requires adding one HTTP Response Header, namely: At the HTTP Server level... For Apache a2enmod headers For nginx In PHP

Integrating Bean Validation with JAX-RS in Java EE 6 » samaxes This article was first published on Java Advent Calendar. Introduction to Bean Validation JavaBeans Validation (Bean Validation) is a new validation model available as part of Java EE 6 platform. The Bean Validation model is supported by constraints in the form of annotations placed on a field, method, or class of a JavaBeans component, such as a managed bean. Several built-in constraints are available in the javax.validation.constraints package. The Java EE 6 Tutorial lists all the built-in constraints. Constraints in Bean Validation are expressed via Java annotations: Bean Validation and RESTful web services JAX-RS 1.0 provides great support for extracting request values and binding them into Java fields, properties and parameters using annotations such as @HeaderParam, @QueryParam, etc. The next release, JAX-RS 2.0, includes a proposal to enable validation annotations to be combined with JAX-RS annotations. However, at the moment, the only solution is to use a proprietary implementation.

Making Cross-Domain Requests with CORS One thing I ask interview candidates is how to make cross-domain requests with Javascript. All too often, interviewees only come up with JSON-P and proxying as a solution. This is insufficient for JS devs in 2012. Johnny Wey has a great write up on JSON-P and why you might not want to use it. Libraries like jQuery will handle all of the complexities of this and gracefully degrade to other technologies as much as possible, but it is important for JSers to know what is going on under the covers. That’s where this post comes in. Background HTTP requests from Javascript are traditionally bound by the Same Origin Policy, which means that your ajax requests must have the same domain and port. CORS stands for Cross-Origin Resource Sharing. Why you should use CORS Compared to proxying, the significant advantage of CORS is not having another system component, possibly complicating the app. It has a few big advantages over JSON-P as well: How CORS works GET Simple vs.

RESTful Web Services with NetBeans, Jersey and Tomcat | VicHargrave.com Although Eclipse is commonly used for Java web service programming, it can be challenging to configure and use for testing. Luckily Eclipse is not the only IDE game in town. NetBeans provides a rich environment for developing Java web services with Jersey – the reference implementation of JAX-RS RESTful web services. This article will explain how to create a simple RESTful service and test it with the Apache Tomcat Server from the NetBeans IDE. RESTful Web Services What is REST? Representational State Transfer or REST refers to a design model for distributed systems that was originally described by Roy Fielding, one of the authors of the HTTP protocol versions 1.0 and 1.1. REST involves the transfer of resources between clients and servers. There are no hard and fast rules about what resources are exchanged between clients and servers. HTTP Service Requests RESTful web services are implemented using one or more of the following four HTTP request types depending on the design of the system.

Understanding Cross-Origin Resource Sharing (CORS) Note: This is a pretty trivial example I created for the purposes of illustration. I intentionally did not use of any frameworks. The onLoadHandler() function creates an XMLHttpRequest and opens it for a GET request to the GitHub API URL. The third parameter for the open method, is set to true, and specifies that this request is asynchronous. Next, the code snippets create the event handlers for the request. We are only handling the onload and onerror events but there are a number of other events available using CORS including onloadstart, onprogress, onabort, ontimeout, and onloadend events. Chrome, FireFox, Opera, Safari browsers Chrome supported CORS through the XMLHttpRequest level 2 as of version 3 (which seems like ages ago). Internet Explorer Sadly, Internet Explorer is the only browser that merits its own section here.

Related: