Cross-Origin Resource Sharing
(1) Resource without CORS, on the same origin
$.ajax({
type: 'GET',
url: 'https://www.secure.nu/api/cors/nocors'
})
(This API is does not support CORS)
(2) Resource without CORS, on a different origin
$.ajax({
type: 'GET',
url: 'https://websec.secure.nu/api/cors/nocors'
})
(This resource can only be accsssed from the same origin. Do watch the F12 browser console)
Hello CORS
(3) Access-Control-Allow-Origin: https://www.secure.nu
$.ajax({
type: 'GET',
url: 'https://websec.secure.nu/api/cors/LimitedTowww'
})
(This resource can only be accessed from this origin: https://www.secure.nu. Try to to do this call from both www.secure.nu and other.secure.nu. Do check the response in Fiddler, what response code do you get back?)
(4) Access-Control-Allow-Origin: *
Be carefull! This is dangerous and should be avoided.
$.ajax({
type: 'GET',
url: 'https://websec.secure.nu/api/cors/AnyOrigin'
})
(This resource can be accessed from any location. Try making AJAX call from your code to see what will happen. Try to to do this call from both www.secure.nu and websec.secure.nu)
Preflight Request
(6) Access-Control-Allow-Origin: https://www.secure.nu, Access-Control-Allow-Methods: PUT
$.ajax({
type: 'PUT',
data: '{ hello : "world" }',
contentType: "application/json; charset=utf-8",
headers: {"X-My-Custom-Header": "some value"},
dataType: "json",
url: 'https://websec.secure.nu/api/cors/ResourcePut'
})
(This resource can only be accessed from https://www.secure.nu with PUT method)
CORS with credentials
Access-Control-Allow-Origin: https://www.secure.nu, Access-Control-Allow-Credentials: true
Be very careful about setting SupportsCredentials to true, because it means a web at another domain can send a logged-in user's credentials to your Web API on the user's behalf, without the user necessarily being aware.
$.ajax({
type: 'POST',
url: 'https://websec.secure.nu/api/cors/WithCredentials',
xhrFields: {
withCredentials: true
}
})
(This resource can be accessed via AJAX only for: https://www.secure.nu. This header tells the browser that the server allows credentials for a cross-origin request.)