Web applications can’t simply take data from multiple sources without permission. A Web security mechanism called same-origin policy (SOP) is what keeps, say, a shopping website from accessing a user’s bank account, or a news site from reading a user’s e-mails despite being logged into both sites at once.
CORS, the cross-origin resource sharing specification published by the World Wide Web Consortium (W3C), is what allows Web developers to incorporate client-side data into their apps. The most recent specification was proposed for W3C Recommendation—considered a Web standard—on Dec. 5.
According to Ian Jacobs, W3C’s head of communications, after the review period ends on Jan. 14, “We should see a stable, completed Recommendation in the second half of January.”
“Cross-origin resource sharing provides a way for Web resources to give permission to relax this [SOP] restriction to allow for the creation of interesting mash-ups incorporating content from multiple sources,” said Brad Hill, co-chairman of the W3C Web Application Security Working Group. “A mash-up application can use CORS to work with public data, like apartment listings and maps, and also for data that requires some user-level authorization, like integrating a user’s preferences or calendar into applications hosted by different companies.”
CORS has been in existence since 2005 and can be used with all major browsers. It defines a set of headers that allow the browser and server to communicate about which requests are (and are not) allowed.
“The kind of mash-up applications that CORS enables are very compelling and have been a part of the Web for a long time, but before CORS they were built using methods like server-side proxying or JSONP that weren’t very secure,” Hill said.