HTML and CSS Reference
Cross-Origin Resource Sharing (CORS)
During cross-document messaging, one document needs a handle to the other document. This handle is
typically in the form of an <iframe> or window object. However, in many real-world cases, you just want to
make a cross-domain GET or POST request. Cross-document messaging won't allow you to do that. What
you need in such cases is Cross-Origin Resource Sharing (CORS).
Unlike the postMessage API, to enable CORS you need to do little configuration at the web server end.
All cross-domain requests have an Origin header. This header is added by the browser and provides the
request origin to the web server. The application code can't tamper with the header. To accept requests
from a different origin, the web server should be configured to have an Access-Control-Allow-Origin HTTP
header. You can add this header using either IIS Manager or web.config . Figure 11-1 shows the IIS Manager
dialog in which you can add the Access-Control-Allow-Origin header.
Figure 11-1. Adding the Access-Control-Allow-Origin header using IIS Manager
The value for the Access-Control-Allow-Origin header can be either * (all domains allowed) or a list of
specific domains. You can achieve the same effect using the web.config file, as shown in Listing 11-1.
Listing 11-1. Adding the Access-Control-Allow-Origin Header Using web.config
<add name=”Access-Control-Allow-Origin” value=”*” />