The future of the web is cross-domain, not same-origin

CORS FilterLast month I released CORS Filter, the first universal software solution for fitting Cross-Origin Resource Sharing (CORS) support to Java web applications. CORS is a recent W3C effort to introduce a standard mechanism for enabling cross-site requests in web browsers and servers.

Since the early days of the web (think Netscape 2.0) browsers have enforced, to various degrees, a same origin policy to prevent leaking of confidential user data to third party sites. The same origin policy was carried over to the game-changing XHR which appeared in the early 2000’s. Modern web applications, however, incresingly seek to dynamically integrate content and services from third parties, which is currently achieved through “hacks” such as JSONP. CORS was created in recognition that cross-domain requests are here to stay and therefore they’d better be standardised.

The web context of CORS
The web context of CORS

The philosophy of CORS

CORS works in two directions:

  1. From a browser script perspective: By imposing tighter controls on data exchanged during a cross-site request. Cookies, for instance, are blocked unless specifically requested by the XHR caller and allowed by the remote web service. This is done to reduce the said risk of data leaks.
  2. From a web service perspective: By requiring the browser to report the origin URL to the target cross-site service, so the latter can determine, based on its origin policy, whether to allow or deny the request.

The original CORS specification is available at

Note that in order for CORS to work, it must be supported by both browser and web server.

Browsers supporting CORS

The following major browsers support CORS as of October 2010:

  1. Firefox 3.5+
  2. Internet Explorer 8+ (Partial support via the XDomainRequest object)
  3. Apple Safari 4+
  4. Google Chrome 3+