Tuesday, February 25, 2014

Avoiding CORS security issues

CORS is security policy, according which a page could not be iframe-d from page from another site.

ajax requests are implemented via iframe, so if we want to do ajax requests to another site, we encounter CORS error.

How to enable this?

Solution is to tell server to allow the page/JSON/webservice to be iframed. This is done this way:
    public String getUserById(@PathVariable("id") Long id, HttpServletResponse httpResponse) throws JsonProcessingException {
        httpResponse.addHeader("Access-Control-Allow-Origin", "*");
        // do real work

    }

Access-Control-Allow-Origin is the header that allows this. Check wikipedia for other solutions.

No comments:

Post a Comment