[CS] CORS

1. Cross-Site Request Forgery (XSRF)
- forging the user's requests with a malicious website
- to steal personal data or perform malicious actions
2. Same-Origin Policy (SOP)
- to address the XSRF problem, all browsers have adopted this policy, by default
* Origin:
- the source of the request = who is making the request
- the combination of the scheme, domain, and port (e.g. https://www.cors.org:9600)
- if any of the 3 are different, they are not the same origin
- no one can request any data or perform any operation outside his origin
3. Cross-Origin Resource Sharing (CORS)
* Cross-Origin: Requests for resources hosted on other domains
* Resource Sharing: Sharing resources between applications in a web environment
- to relax the SOP and address access to cross-origin resources while maintaining security
- tell browsers that "I'm okay to be called from external entities different from my origin."
4. CORS Implementation
1) implements through HTTP headers in the response
2) the browser gets a response and compares Access-Control-Allow-Origin with the requesting website's origin
3) if they match, permit access to the response
* Access-Control-Allow-Origin:
- specify exact origins that are allowed to access
- " * " : any origin can access
- Example CORS Headers:

5. How CORS Works
1) a web page makes a cross-origin HTTP request (e.g., JavaScript's 'fetch')
2) the browser sends an HTTP request with an Origin header indicating the origin of the requesting site
3) the server compares the origin of the requesting site and the origins that are specified in Access-Control-Allow-Origin
4) If they match, the server responds with appropriate CORS headers (Access-Control-Allow-Origin)
5) If the server's CORS headers don't allow the request, the browser blocks the response from being delivered to the web page.
Sources:
https://velog.io/@aeong98/HTTP-CORS-%EC%97%90%EB%9F%AC-%ED%95%B4%EA%B2%B0%ED%95%98%EA%B8%B0