What is CORS?

Подписаться 8 тыс.

Просмотров 67 тыс.

50% 1

CORS - Cross Origin Resource Sharing allows us to relax the security applied to an API. By default the Single Origin Policy applies and a website can only make calls to its own origin. In the case though where you have a sub domain or even some third party sites that need access to you API CORS allows us to provide this to just those specific sites without having to open up the API to all origins. In this tutorial video we look at some example APIs on the web today and how they handle CORS.
swapi.co/
api.chucknorri...
CORS will add the the response header [access-control-allow-origins] and specify which origins are to be permitted access. This can include a wildcard, which is how the above 2 sites handle this.
Then create our own sample API and show how to add CORS headers to allow access from other Origins. The example is created in dotnet core within Visual Studio.
It should be noted that CORS and SOP is something applied by web browsers and does not take effect in other applications. So a node console app would be able to access an API even though it is not from the same origin.
P.S Just joined buy me a coffee :-)
www.buymeacoff...

Хобби

Опубликовано:

3 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 101

@jeroincababat565 2 месяца назад

I appreciate that you didn't cut the video when you encountered an error. It demonstrates what happens in real-world coding.

@Ashotofcode 2 месяца назад

Cool thanks :-)

@mib141345 3 года назад

You explained in 13 mins what I spent hours reading and not comprehending. Thanks!

@Ashotofcode 3 года назад

Glad it helped Doran!

@maspoetry1 3 года назад

i merge to the crowd, great video. thanks. I like when you solve the problems in real time, without editing.

@Ashotofcode 3 года назад

No problem!

@mujthabahassan7614 4 года назад

Thanks a lot, I was scratching my head a lot over this but you explained it briefly yet comprehensively

@Ashotofcode 4 года назад

Hi Mujthaba, glad it was helpful 😀

@tajsec498 3 года назад

whole day I was struggling with this :)) your explanation was clearrr, thanksss

@Ashotofcode 3 года назад

Glad it helped! :-)

@suryakiran2207 4 года назад

More simplified, thanks a lot for great explanation.

@tedisrozenfelds7630 2 года назад

I liked that you failed couple of times and then debugged your own code. That actually showed some common mistakes that can be made and should be avoided!

@Ashotofcode 2 года назад

Cool thanks Tedis 😀

@Hamza_lachgar 2 месяца назад

Thanks for this amazing tutorial. it clarifies my knowledge about CORS

@Ashotofcode 13 дней назад

You are welcome! Cheers Mark

@wesleygomes4154 Год назад

man, thanks a lot for sharing this knowledge. You made this topic very clear to me now!

@joespinelli3604 4 года назад

Awesome stuff! Thanks for being so clear and the example was very easy to follow:)

@dhruvpatel6937 5 месяцев назад

Very clear explanation, thank you kind sir!

@Ashotofcode 4 месяца назад

Welcome :-) Cheers Mark

@micahnewsum3667 3 года назад

Props to this guy for live coding.

@Ashotofcode 3 года назад

Thanks Micah :-)

@nyplace1 Год назад

phenomenal explanation!

@RedditMidlySatisfying 2 месяца назад

Watched once subscribed twice.

@ArijeetSarkar7 3 года назад

It helped me understand what is CORS and I solved a real world problem. The problem was the origin doesn't support any headers and I was sending one. After I removed, it started working.

@Ashotofcode 3 года назад

Excellent, glad it helped Arijeet :-)

@BB855036 4 года назад

Great explanation. Thanks!

@Ashotofcode 4 года назад

You're welcome!

@shivarammuthukumaraswamy7164 3 года назад

wonderfully explained.TYSM

@Ashotofcode 3 года назад

Glad it was helpful Shivaram! Cheers Mark :-)

@jessandgary5940 Год назад

Finally, i get it! Thanks.

@Ashotofcode Год назад

Glad it helped! Cheers Mark 🙂

@balapraneeth9708 4 года назад

Great video. Helped a lot. Thanks mate :)

@Ashotofcode 4 года назад

Glad it helped :-)

@ninjarogue 3 года назад

Thank you!!! I really appreciate the video!

@Ashotofcode 3 года назад

Glad it was helpful Aric :-)

@giorgidzidziguri610 Год назад

best tutorial out there

@Ashotofcode 11 месяцев назад

Thanks!

@sabithapoladi5620 4 года назад

very good explanation

@jig4576 Год назад

Awesome video

@Ashotofcode 11 месяцев назад

Thanks! Cheers Mark 🙂

@YosepRA 3 года назад

So it's all about the back-end setting up CORS headers, and the browser will try to find these headers to determine whether there's CORS violation or not.

@Ashotofcode 3 года назад

Yep that's a good summary I'd say😀

@unknownqweasd 3 года назад

it was very helpfull, thank you!

@Ashotofcode 3 года назад

Glad it was helpful! Cheers Mark

@ttoktassynov 3 года назад

well explained! thanks

@Ashotofcode 3 года назад

Glad you liked it Timur :-)

@mineralisk 4 года назад

Thanks for making the video

@jamesscott-nicholson3808 3 года назад

Thanks for the video, that's cleared it up for me nicely :). If CORS is something only handled by the browser, I suppose that makes it a fairly weak piece of security. Could a browser / extension be made that simply ignores CORS or injects in the necessary header?

@Ashotofcode 3 года назад

Thanks James, I'm not really up on the capabitilites of extensions, but they have full control so would think they would be able cause problems here yes. Cheers Mark

@abhijithk1397 3 года назад

yes, you can find extensions in chrome store that disable CORS

@MrParanos 3 года назад

Very clear and useful, yet there is still something my mind can't put hand on : in what are CORS useful ? Regarding how easy it is to go arount it... :/

@Ashotofcode 3 года назад

CORS is actually more about relaxing the existing security, so by default only requests from your own site can be made, which is the same-origin policy. With CORS we can allow other sites to access also. So one good scenario is when our API is on a different domain to our website - in this case CORS will allows us to let the website access our API - as otherwise will be blocked by the same origin policy. Another case is simply a public API and we want to allows anyone to call it, say a weather api, by default it is restricted to just the domain it runs under, so we add CORS to relax this security and allow anyone to call it. So CORS itself is not something to get around - that is the same origin policy - which is pretty locked down in browsers. Cheers Mark

@thisurathenuka8362 3 года назад

Nice explanation ❤

@Ashotofcode 3 года назад

Glad you liked it Thisura :-)

@anishamalynur7748 4 года назад

hey quick question one of the options to fix the error was "If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled." could you explain this?

@Ashotofcode 4 года назад

Hi Anisha, good question, this would be if you simply wanted to check that the service existed, in that it returns a success code, but without any data. I'm not sure when this would be useful, but there are cases I guess. Cheers Mark

@dartme18 3 года назад

ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-pDU_jnD2XpE.html ; different Anisha I assume :-P

@jagadeeshg3756 4 года назад

WoW, Thank you so much!

@louisecrowe4968 3 года назад

Thanks great video :)

@Ashotofcode 3 года назад

Glad you liked it Louise. Cheers Mark :-)

@michi19935 8 месяцев назад

One question - maybe anyone knows: Why can i not log out the json response one the first .then method?

@arfan8544 4 года назад

Thank You very much. 🤘

@Ashotofcode 4 года назад

Thanks SM, glad it was useful 😀

@ameyapatil1139 4 года назад

Excellent ! Thanks !

@ashwinisidhu 4 года назад

shot & easy. Thanks

@saqlainmushrif6453 Год назад

Can cors be exploited if some token is in URL?? (GET METHOD) Arbitrary origin is reflected in response with ACAO & ACAC but the token is in URL

@CryptoJitsu 3 года назад

Great vid, thank you! QUESTION: When the API does not send back the response header [access-control-allow-origins]... I'm assuming it's still sending back the data in the response body... because the decision to show or not is being done by the receiving browser. This seems insecure and dangerous and something a hacker could get around, no?

@Ashotofcode 3 года назад

Thanks! Good question - Yes I think you are correct in that the data will be returned - the browsers are pretty solid though so I would think safe - this takes place internally in the browser so not something you can attack with Javascript really. Cheers Mark

@CryptoJitsu 3 года назад

@@Ashotofcode thanks!

@WolfgangPedain Год назад

well done

@Ashotofcode Год назад

Thanks :-)

@erdemarslan3371 3 года назад

thx very clear!!

@Ashotofcode 3 года назад

Thanks Erdem :-) glad it was useful.

@smashed5826 4 года назад

The explanation was not deep enough, in this video you just explianed CORS is browser security policy stuff and seeing you tried it out for direct access on browser and via ajax call. It could be deeper to explain why browser needs this; what kind of attacks could be implemented if no this security policy on browser; What headers needs to be added to allow browser calls a cors resource, different browsers or same browser with different versions treat different headers to allow CORS; server side API header settings to control the access the resource in different scenarios etc.

@daminduliyanage 3 года назад

Thank You 👍🏻👍🏻

@iQCudi 3 года назад

amazing

@Ashotofcode 3 года назад

Thank you! Cheers!

@ganeshk8682 3 года назад

Thanks..

@Ashotofcode 3 года назад

Welcome

@trumbaron Год назад

Confusing for me...

@tonyj4435 4 года назад

Thanks bro

@Ashotofcode 4 года назад

Welcome 😎

@JulienReszka 3 года назад

audio is very low volume, I wish it wasn't that low

@ValentinTruta 3 года назад

Arrow functions return by default if code is on the same line.

@Ashotofcode 3 года назад

Nice thanks Valetin!

@addtyu6176 3 года назад

I closed the video immediately after seeing Microsoft Edge being used....

@Ashotofcode 3 года назад

lol fair play :-)

@dartme18 3 года назад

RIP, SWAPI

@Ashotofcode 3 года назад

D'oh yep it has died!

@dartme18 3 года назад

@@Ashotofcode Someone posted a duplicate pretty quickly after SWAPI died (that was six months ago I think?). Our company used SWAPI for interview exercises, so we were happy to see the replacement!

@Ashotofcode 3 года назад

@@dartme18 Ah yes, swapi.dev, cool thanks!