HTTP CORS Protocol

CORS (HTTP)

[1] CORS (コルス) (Cross-Origin Resource Sharing起源間資源共有HTTP CORS プロトコル (protocol) とも。) は、同一起源ポリシーの制約を超えて Webアプリケーションが異なる起源資源アクセスするための仕組みです。

[61] XHR その他の DOM APIHTML要素などを使って HTTP アクセスを行う際に用いられます。

仕様書

[51] 仕様書としての CORS は発展的に消滅して Fetch Standard となりました。 W3C のサイトにある CORS 仕様書はそれ以前の古い版です。

概要

[52] Web のセキュリティーモデルに従えば、原則として異なる起源を持つ資源にはアクセスできません (同一起源ポリシー)。 例えばスクリプトは、異なるドメインURL から情報を取得することができません。 CORS はこの制限を緩和するものです。異なるドメインURL であっても、 HTTP応答CORS の適切なヘッダーが含まれていれば、 その応答に含まれる情報にスクリプトがアクセスできるようになります。

HTTP CORS プロトコル

[53] HTTP CORSプロトコルFetch Standard で規定されており、 fetch の際に HTTP ヘッダーOPTIONS メソッド要求を使った起源鯖クライアントとのやりとりにより、 異なる起源資源に対するアクセスを認めることができるものです。

XXX

CORS 属性

[54] HTMLimg 要素など埋め込み内容系の要素には crossorigin 属性が用意されており、 CORS を利用するかを制御できます。

歴史

[3] CORS は元々は VoiceXML Working Group により <?access-control?> 処理指令として検討されていましたが、 Web Apps WG に引き継がれ、HTTP 頭欄 Access-Control: 頭欄などを経て、最終的に現在の形になりました。

[4] 旧案時代の歴史は <?access-control?> の項を参照してください。

W3C CORS

[30] CORS応用の一覧は CORS API仕様の項をご覧ください。

XHR + CORS

対応ブラウザ

XDR

対応ブラウザ

[18] IE (少なくても 8) では Cookie を送らせることができない。

出典

HTML との統合

[5] IRC logs: freenode / #whatwg / 20101014 ( ( 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20101014#l-476

[6] IRC logs: freenode / #whatwg / 20101103 ( ( 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20101103

[19] Web Applications 1.0 r6142 First draft for working out how to use CORS with <img>, <video>, and <audio>. ( ( 版)) http://html5.org/tools/web-apps-tracker?from=6141&to=6142

[20] IRC logs: freenode / #whatwg / 20110520 ( ( 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20110520

[21] Web Applications 1.0 r6144 Update how CORS works with <img> and <video> (and <audio> and <track>). ( ( 版)) http://html5.org/tools/web-apps-tracker?from=6143&to=6144

[22] Web Applications 1.0 r6147 Change cross-origin= to crossorigin= since people don't seem to like hyphens. Poor hyphens. ( ( 版)) http://html5.org/tools/web-apps-tracker?from=6146&to=6147

[23] Web Applications 1.0 r6255 CORS-enable EventSource, for cross-site event streams ( ( 版)) http://html5.org/tools/web-apps-tracker?from=6254&to=6255

[24] [whatwg] CORS requests for image and video elements ( ( 版)) http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031764.html

[25] [whatwg] Enhancement request: change EventSource to allow cross-domain access ( 版) http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-June/032212.html

[26] [whatwg] [CORS] WebKit tainting image instead of throwing error ( 版) http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-October/033389.html

[27] IRC logs: freenode / #whatwg / 20111011 ( ( 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20111011

[29] >>2 が最新版の仕様書でしたが、 hg に移行したため現在は >>28 が最新版となっています。

[31] Cross-Origin Resource Sharing ( ( 版)) http://www.w3.org/TR/2012/WD-cors-20120403/

[32] [whatwg] [html5] r7128 - [giow] (2) Try to define img synchronous loading. Affected topics: HTML ( ( 版)) http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-August/037037.html

[35] CORS - W3C Wiki ( ( 版)) http://www.w3.org/wiki/CORS

[36] Cross-Origin Resource Sharing ( ( 版)) http://www.w3.org/TR/2013/CR-cors-20130129/

Fetch Standard へ

[48] 2012年初秋、 AnneOpera を離れたことをきっかけに CORSW3C から WHATWG へ移りましたが、懸案であった HTML Fetch との統合を見据えて fetch.spec.whatwg.org というドメイン名が選ばれました。

[33] Cross-Origin Resource Sharing Standard ( ( 版)) http://fetch.spec.whatwg.org/

[34] W3C TPAC: CORS — Anne’s Blog ( ( 版)) http://annevankesteren.nl/2012/11/cors

[49] 2013年春には HTML FetchCORS を統合して書きなおされた新しい Fetch Standard に置き換えられました。これによって単体の仕様書としての CORS は役目を終えました。

[37] Fetch: HTTP authentication and CORS ( (Anne van Kesteren 著, 版)) http://lists.w3.org/Archives/Public/public-webapps/2013AprJun/0487.html

[38] カスタムヘッダを使ったCSRF対策は安全に使えるかどうかということについて - 金利0無利息キャッシング – キャッシングできます - subtech ( ( 版)) http://subtech.g.hatena.ne.jp/mala/20130304/1362392723

[39] [whatwg] Fetch: please review! ( ( 版)) http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-June/039809.html

[40] IRC logs: freenode / #whatwg / 20131028 ( ( 版)) http://krijnhoetmer.nl/irc-logs/whatwg/20131028

W3C CORS 勧告

[50] 新しい Fetch Standard に統合された後も W3C ProcessCORS 仕様書は残り続け、 2014年1月にはようやく W3C勧告となりました。 (しかし内容は Fetch との統合前の古いまま、つまり2年遅れです。)

[41] Cross-Origin Resource Sharing ( ( 版)) http://www.w3.org/TR/2013/PR-cors-20131205/

[42] CORS report ( ( 著, 版)) http://odinho.html5.org/CORS/testsuite-report.html

[43] CORS Edited PR report ( ( 著, 版)) http://webappsec-test.info/~bhill2/pub/CORS/cors-test-supplement.htm

[46] Cross-Origin Resource Sharing ( ( 版)) http://www.w3.org/TR/2014/REC-cors-20140116/

その後

[44] Re: [beacon] Random comments ( (Jonas Sicking 著, 版)) http://lists.w3.org/Archives/Public/public-web-perf/2013Dec/0108.html

[45] Bug 14703 – Integrate style sheet loading with CSSOM ( ( 版)) https://www.w3.org/Bugs/Public/show_bug.cgi?id=14703

[55] Web Applications 1.0 r8634 Big editorial cleanup. No normative changes. ( ( 版)) http://html5.org/tools/web-apps-tracker?from=8633&to=8634

[56] Let CORS preflight fetch perform its own CORS check. Also if a CORS cach... · 49eb9d0 · whatwg/fetch ( ( 版)) https://github.com/whatwg/fetch/commit/49eb9d0e649331f9364a06767e5a17fc6155107b

[57] CORS performance (Anne van Kesteren 著, 版) https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0646.html

[58] Re: CORS performance (Anne van Kesteren 著, 版) https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0672.html

[59] CORS performance proposal (Anne van Kesteren 著, 版) https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0350.html

[60] Re: CORS performance (Jonas Sicking 著, 版) https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0696.html

[62] Re: [webappsec] CfC: Proposed non-normative updates to CORS (Mike West 著, 版) https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0002.html

[63] Merge pull request #485 from fmarier/sri-issue418 · w3c/webappsec@73e50e6 ( 版) https://github.com/w3c/webappsec/commit/73e50e6c3cd437a0c8921dd95b539f152fd85cae

[64] Safari 4.0 ( 版) https://developer.apple.com/library/safari/releasenotes/General/WhatsNewInSafari/Articles/Safari_4_0.html#//apple_ref/doc/uid/TP40014305-CH4-SW15

WebKit now has basic support for cross-site XML HTTP requests using W3C XMLHttpRequest Level 2 and W3C access control for cross-site requests. This provides a way for servers to specify that a cross-site request is allowed, by sending an Access-Control HTTP response header.

[65] Fix #152: give up on forced CORS preflights being a mode · whatwg/fetch@2ca5730 ( 版) https://github.com/whatwg/fetch/commit/2ca5730755795a4fc5e50c06f8fc477adb931d74

[66] Align with Fetch, forcing a CORS preflight is a flag again · whatwg/xhr@6ebf187 ( 版) https://github.com/whatwg/xhr/commit/6ebf187740869fe85893abcfcfa5a5e629a6584b

[67] Fix #169: make "no-cors" work with any credentials mode · whatwg/fetch@4147978 ( 版) https://github.com/whatwg/fetch/commit/4147978673c15047d1a5d4a76b1a403a7d75a956

[70] Fix #202: attempt to define CORS filtered response a little clearer · whatwg/fetch@b17b985 ( 版) https://github.com/whatwg/fetch/commit/b17b9859ae66de798cbad8759a8c84e7395a2557

[68] [integration] References to external resources · w3c/svgwg@6257fcb ( 版) https://github.com/w3c/svgwg/commit/6257fcb92ba52ca231d412a6b505b2c71650d215

[69] "With Credentials" flag possibly inconsistent with web architecture · Issue #76 · w3ctag/spec-reviews ( 版) https://github.com/w3ctag/spec-reviews/issues/76

[71] CORS and RFC1918 ( 版) https://mikewest.github.io/cors-rfc1918/

[72] Explain CORS protocol and credentials interaction ( (annevk著, )) https://github.com/whatwg/fetch/commit/c9e8db9d9075989fd2b91203f0247c52bac0ca27

[73] "With Credentials" flag possibly inconsistent with web architecture · Issue #76 · w3ctag/spec-reviews ( ()) https://github.com/w3ctag/spec-reviews/issues/76

[74] Allow more wildcards in CORS when used without credentials ( (annevk著, )) https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c

[75] Redirect on preflighted CORS requests generally impossible · Issue #204 · whatwg/fetch ( ()) https://github.com/whatwg/fetch/issues/204#issuecomment-184257430

[76] CO Redirect in the face of CORs may not be correct in specs · Issue #32 · w3c/beacon () https://github.com/w3c/beacon/issues/32

[77] Merge pull request #33 from w3c/nocors (toddreifsteck著, ) https://github.com/w3c/beacon/commit/62f466477436042108f8d2cb92bc1c6cae1644ed

[78] Align Fetch's destination concept with changes in Fetch (sideshowbarker著, ) https://github.com/whatwg/html/commit/5e8f96a85d182d36c177db0d6fdde58b4ded86d4

[79] Allow for redirects after a CORS-preflight (annevk著, ) https://github.com/whatwg/fetch/commit/0d9a4db8bc02251cc9e391543bb3c1322fb882f2

[80] Merge pull request #34 from w3c/cors-whitelist (plehegar著, ) https://github.com/w3c/beacon/commit/b917e89fbe0e448e3318428b33d7fb9a66820cea

[81] [webappsec] WG Note: CORS for developers (Brad Hill著, ) https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0047.html

[82] CORS for Developers () https://w3c.github.io/webappsec-cors-for-developers/

[83] Remove request's omit-Origin-header flag (annevk著, ) https://github.com/whatwg/fetch/commit/eb89fcd54bb39e81b11c569f6ad7ba615883f7b9

[84] Clarify requirements on a CORS server (annevk著, ) https://github.com/whatwg/fetch/commit/9289687f43b2f88fe5480f989f59fdb6eb602ac6

[85] Re: Propose "Obsolete" status for CORS spec (Mark Nottingham著, ) https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0000.html

[86] Last call: Obsoleting CORS (Daniel Veditz著, ) https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0005.html

[87] Web Application Security WG -- 16 Aug 2017 () https://www.w3.org/2017/08/16-webappsec-minutes.html

[88] Transition Request: Proposed Obsolete for CORS (Daniel Veditz著, ) https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0010.html

[89] Using integrity with "no-cors" is fine same-origin (annevk著, ) https://github.com/whatwg/fetch/commit/686a1ad9e1c5a001531ebabb1bcd163dfe78edd8

[90] Adjust CORS wildcard handling slightly (annevk著, ) https://github.com/whatwg/fetch/commit/358dbf5296d91bb791d864b677b367bb11b3bf37

[91] Adjust wildcard handling slightly by annevk · Pull Request #592 · whatwg/fetch () https://github.com/whatwg/fetch/pull/592

[92] Access-Control-Expose-Headers: * can be interpreted in two ways · Issue #548 · whatwg/fetch () https://github.com/whatwg/fetch/issues/548

[93] Re: CORS should be abandoned (Boris Zbarsky著, ) https://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0044.html

[94] Do not allow CORS responses to "same-origin" requests (annevk著, ) https://github.com/whatwg/fetch/commit/548bca234ad5d0296030b2384cc0b784799c4664

[95] 1427978 - Update the WPT test we expected failure after rejecting the CORS synthesized response for the same-origin request () https://bugzilla.mozilla.org/show_bug.cgi?id=1427978

[96] consider failing same-origin fetch requests that get a cross-origin cors Response synthesized by a service worker · Issue #629 · whatwg/fetch () https://github.com/whatwg/fetch/issues/629

[97] Do not allow CORS responses to "same-origin" requests by annevk · Pull Request #655 · whatwg/fetch () https://github.com/whatwg/fetch/pull/655

[98] Return a network error for mode "no-cors" and redirect mode not "follow" (youennf著, ) https://github.com/whatwg/fetch/commit/14858d3e9402285a7ff3b5e47a22896ff3adc95d

[99] Return a network error in case of no-cors mode and redirect being not follow by youennf · Pull Request #663 · whatwg/fetch () https://github.com/whatwg/fetch/pull/663

[100] Deprecations and removals in Chrome 66  |  Web  |  Google Developers () https://developers.google.com/web/updates/2018/03/chrome-66-deprecations

[101] Export the definition of CORS-same-origin by csnardi · Pull Request #3605 · whatwg/html () https://github.com/whatwg/html/pull/3605

[102] IETF HTML5 Meeting March 2009 - W3C Wiki () https://www.w3.org/wiki/IETF_HTML5_Meeting_March_2009

[103] Avoid using the CORS flag to reset request's origin in redirects by annevk · Pull Request #594 · whatwg/fetch () https://github.com/whatwg/fetch/pull/594

[104] Make CORS-preflight fetches set the CORS flag (annevk著, ) https://github.com/whatwg/fetch/commit/9334fcbd34dc17e4508582c9fdc57f20ba5b728e

[105] Remove Reporting API from CORS exceptions (dcreager著, ) https://github.com/whatwg/fetch/commit/b3492ec22778d1e5705432d80b82dfa7664aedf0

[106] Remove Reporting API from CORS exceptions by dcreager · Pull Request #776 · whatwg/fetch () https://github.com/whatwg/fetch/pull/776

[107] Are report uploads supposed to send CORS preflights? · Issue #41 · w3c/reporting () https://github.com/w3c/reporting/issues/41

[108] Clarify CORS behavior for report uploads by dcreager · Pull Request #97 · w3c/reporting () https://github.com/w3c/reporting/pull/97

[109] Strengthen requirements on CORS even further by having a maximum comb… (annevk著, ) https://github.com/whatwg/fetch/commit/e2d62ff1df77105c519360948174a135c5eabb6c

[110] CORS-safelisted request headers should be restricted according to RFC 7231 · Issue #382 · whatwg/fetch () https://github.com/whatwg/fetch/issues/382

[111] Strengthen requirements on Headers with guard "request-no-cors" (annevk著, ) https://github.com/whatwg/fetch/commit/cb30d8c72879b18b1e03dc3609d1976d871c28c2

[112] Cleanup remaining Document/Window object relations (annevk著, ) https://github.com/whatwg/html/commit/39dbb3e6de4216476cf7193ad9e5d56a861d5297

[113] Editorial: use "append" to modify the header list (ryzokuken著, ) https://github.com/whatwg/fetch/commit/daca6a824c0c6c5e22b7f7eb70001f36c1732cb1

[114] Use "append" instead of "set" to modify the header list · Issue #758 · whatwg/fetch () https://github.com/whatwg/fetch/issues/758

[115] Editorial: Use "append" to modify the header list by ryzokuken · Pull Request #807 · whatwg/fetch () https://github.com/whatwg/fetch/pull/807