Cross-origin resource sharing
In the age of microservices, where web application components are decoupled and run as separate instances on totally different domains, the SOP presents some challenges.
Attempting to read some API data presented in JSON format would normally be denied by the SOP unless the origin triple matches. This is inconvenient, and applications become hard to develop and scale if we are constrained to the same domain, port, and scheme.
To loosen up the SOP, cross-origin resource sharing (CORS) was introduced, making developers happy again. CORS allows a particular site to specify which origins are allowed access to read content that is normally denied by the SOP.
The application server HTTP response can include an Access-Control-Allow-Origin
header, which the client can use to determine whether it should complete the connection and retrieve the data.
Note
CORS is well-documented on the Mozilla Developer Network: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
We can...