Cross-origin resource sharing

A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.

CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.

Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.

A wildcard same-origin policy is appropriate when a page or API response is intended to be accessible to any code on any site.

The HTTP headers that relate to CORS are: CORS is supported by all browsers based on the following layout engines: Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1[19] to allow safe cross-origin data requests by VoiceXML browsers.

The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.

Path of an XMLHttpRequest (XHR) through CORS.