Modern web applications are typically an ecosystem of resources and interactions between multiple domains and servers. As these distributed systems emerge and consolidate, development in JavaScript is becoming more common. However, security problems did not take long to appear, and to address them, the security policy known as CORS (Cross-Origin Resource Sharing) was introduced. CORS is a security measure implemented in browsers to prevent unwanted requests to resources in other domains.
What is CORS?
CORS is a mechanism that uses HTTP headers to allow a server to indicate any other origin (domain, schema, or port) other than its own from which a browser should allow resources to be loaded. In other words, CORS is a policy that determines whether or not a web resource can be accessible by a script from a domain other than the one the resource belongs to.
This policy is crucial to web security for a simple reason: it prevents Cross-Site Request Forgery (CSRF) attacks, where a malicious site can use a user's credentials to perform actions on another site without their knowledge or consent. However, despite its clear security benefits, CORS can cause unexpected headaches for developers.
The CORS Enigma in JavaScript Applications
When you develop a website that needs to access resources from other domains, such as APIs or images, CORS comes into play. If the other domain has not correctly implemented CORS headers or if it has not been specified that your domain is allowed to access those resources, you will encounter CORS-related errors in your browser console. These error messages indicate that the browser's security policy does not allow the operation for security reasons.
CORS errors usually occur when making AJAX requests or using Fetch APIs in JavaScript applications. The messages may vary, but will usually indicate that the Same-Origin policy is blocking the request. It's frustrating because your code seems fine, but it still doesn't work as it should.
Solutions within reach of your code
Modify the server to accept your origin
The most direct and appropriate way to resolve CORS issues is to configure the server that is serving the resources to allow requests from your domain. This is achieved by adding the header Access-Control-Allow-Origin in the server response and specifying the domain that made the request or an asterisk (*) to allow any origin. It is important to emphasize that using an asterisk means that any site will be able to request resources, which reduces security.
Using a proxy
If you cannot change the server configuration of the resource you need to consume, one solution is to use a proxy server. This will work as an intermediary between your application and the server you need to access. The proxy makes the request to the desired resource and then passes it to your application, which effectively bypasses the CORS policy because to the browser, the request appears to come from the same domain.
Here's a step-by-step guide to setting up a simple proxy server using Node.js:
- Create a new Node.js project if you don't already have one.
- Install a package to create a proxy, such as
http-proxy-middleware. - Configure your proxy in your application's middleware to direct requests to the target server.
- Make sure that requests to your JavaScript application use the proxy route.
Using JSONP to read resources
JSONP is a technique that allows requests to be made to another domain avoiding Same-Origin restrictions. It works by creating a label <script>, which is immune to the CORS policy, to load a callback function that will process the received data. This technique has become somewhat obsolete with the arrival of CORS and Fetch, but it can be useful in very specific cases where there is no other viable solution.
Configuring CORS headers on the client
Sometimes, for simple troubleshooting or in development environments, you can configure CORS headers in the client-side request, setting specific parameters that allow the browser to correctly interpret the server's response and not block the request. This may include headers such as Access-Control-Allow-Headers, Access-Control-Allow-Methods, and other related ones.
Use browser plugins for development
For local development, you can use plugins in your browser that modify the headers of your requests and responses to ignore CORS errors. Please note that this should only be used for testing in development, as disabling security measures in a production environment can have serious consequences.
Summary
CORS is an essential security policy that protects against certain types of web attacks. Although it can be a source of frustration for developers, understanding how it works and how to handle it is crucial when working with JavaScript and APIs on the web. With the right tools and methods, you can overcome the challenges posed by CORS and build secure, functional web applications.
To continue delving deeper into web development and technologies, I invite you to visit NelkoDev, where you will find a wide range of resources, tutorials and advice for your projects. Don't hesitate to get in touch via NelkoDev Contact if you need additional help with CORS or another aspect of web development. Together, we can solve any problem and make your most ambitious ideas a reality.
English 
Spanish