Cross-Origin Resource Sharing, or CORS, defines a way to enable client-side cross-origin requests. So, if this API is used on http://siteA.org then a resource on http://siteB.org could opt in to this( e.g. by specifying Access-Control-Allow-Origin: http://siteA.org as a response header).
The problem it aims to solve is that AJAX calls that use XMLHttpRequest to do cross-domain requests (e.g. Site A wants to access a script on Site B) are forbidden by web browsers (see Same-origin policy: http://en.wikipedia.org/wiki/Same-origin_policy).
Note: WebSockets are not subject to the same-origin policy.
CORS is a W3 Recommendation released on 16th January 2014. See http://www.w3.org/TR/access-control/
Alternatives to CORS are:
- setting the document.domain property
- Cross-document messaging – e.g. calling the postMessage() method on a Window object
- JSONP
http://en.wikipedia.org/wiki/Same-origin_policy#Relaxing_the_same-origin_policy
Browser support for CORS:
- >= Firefox 3.5
- >= Safari 4
- >= Chrome 3
- >= IE10 (IE8+ has partial support). i.e. IE9 in Compatibility View would not support CORS
- >= Opera 12
