Cross-Origin Resource Sharing(CORS)

The DEXTUploadX5 product provides the ability to upload files using purely web technologies. To upload files, it uses Ajax technology, which uses the XmlHttpRequest API. However, when you make a GET or POST request using Ajax technology, it fails to send the request if the domain is different. This is due to a policy called the Same Origin Policy, which means that Ajax requests can only be made from the origin that downloaded the page you're currently viewing in your browser. This means that when you try to upload a file from your product, it's basically impossible to upload to a different Origin.

CORS is an abbreviation for Cross-Origin Resource Sharing. It is an Internet term defined in W3C.

"User agents commonly apply same-origin restrictions to network requests. These restrictions prevent a client-side Web application running from one origin from obtaining data retrieved from another origin, and also limit unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin."

Origin refers to the schema, domain, subdomain, port, and so on. CORS is a standardized way for W3C to send and receive requests between different Origin. When you grant permission from the server that receives the request, it is CORS that constructs a response header to enable Ajax communication. When a request arrives, the server sends the client an Access-Control-Allow-Origin response header. The client analyzes the Access-Control-Allow-Origin response header received from the server and proceeds to the next communication if the request is allowed, otherwise the request is aborted.

The following image is error information recorded on the console when CORS is not applied.

When uploading to another service from a page serviced by localhost, the upload failed and an error was logged on the console.

If you look at the conversation with the server using the Fiddler program, if you have a different Origin, do not start uploading the file directly to POST, but make an OPTIONS request (preflight).

The server does not receive the Access-Control-Allow-Origin response header because CORS is not configured. An Ajax API that does not receive an Access-Control-Allow-Origin response header fails without sending a POST request.

After CORS is applied to the server, the file upload is successful and you can see the following dialogue.

"Access-Control-Allow-Origin: *" means to allow client requests. Since this allows Cross-Origin requests, the Ajax API will start the upload task (POST) immediately.

Since CORS requires a browser that supports CORS, and the response header setting is part of the server or server code, there is no way to configure CORS on the DEXTUploadX5 product level.

CORS is vulnerable to security, so it is recommended that you use the Same-Origin Policy policy as is.

DEXTUploadX5 uses a domain license, and the host allows different services depending on the sub-license. However, the fact that a file can not be uploaded or downloaded due to unconfigured CORS is not affected by license certification. Therefore, even if you purchase licenses that allow you to use multiple services (different hosts), you must configure CORS manually for each service.

The enable-cors site describes several ways to configure CORS.