Cross-Origin Resource Sharing (CORS)

Learn how cross-origin requests are handled including when Cross-Origin Resource Sharing and preflight requests are used, how requests are cached, and when credentials are sent.

Broken Access Control

Cross-Origin Resource Sharing (CORS) is an HTTP header-based protocol that allows a server to specify which origins, other than its own, are allowed to load various resources. CORS misconfiguration falls under the Broken Access Control OWASP category, ranked number one on the OWASP Top Ten.

Cross-origin requests without CORS

CORS was accepted as a W3C recommendation in January 2014, but developers have been making cross-origin requests long before that. The img tag was proposed in February 1993, which allowed browsers to make cross-origin requests for images.

Today, there are many various HTML elements that allow developers to make cross-origin requests without CORS.

Get hands-on with 1400+ tech skills courses.