Opera Core Concerns

Official blog for Core developers at Opera

CORS goes mainline

By Charles McCathieNevilechaals. Friday, October 28, 2011 1:32:18 PM

, , , , ,

About 6 years ago Opera's Anne van Kesteren started working on a spec called "Access Control", which had been used in VoiceXML to allow limited cross-site access for cases where that didn't pose a security problem. After many years of working on the spec, in Opera, and with other browser developers, it is something the Web is starting to adopt - a real standard, now called CORS. Although it is still formally a working draft, it has been stabilising and getting deployed in test applications so we don't expect it to change a lot now.

This week, Opera integrated support for it into the core mainline, meaning it can start to be adopted in product builds - so look for it soon in a snapshot near you.

Cross-Origin Resource Sharing(CORS) has applications for XMLHttpRequest, EventSource and cross-origin image fetches. Here's a brief attempt at giving an overview of what it brings.

In its simple form, CORS requires the user agent to lace requests with an "Origin:" header when performing accesses outside of a same-origin boundary. The "Origin:" being the (protocol,server,port) of the originating content (e.g., http://sau.no) So, if content on sau.no accesses elg.no resources, the elg.no resource will verify that such access is allowed and include CORS headers in the response. (e.g., Access-Control-Allow-Origin: http://sau.no) The user agent then verifies that the attempted CORS access was indeed permitted from the given origin before giving the green light.

That's the simple form. Full CORS also handles any method and header along with optionally using credentials/cookies for such cross-origin accesses. To quote the introduction of the current W3C working draft:

If a resource author has a simple text resource residing at http://example.com/hello which contains the string "Hello World!" and would like http://hello-world.example to be able to access it, the response combined with a header introduced by this specification could look as follows:

Access-Control-Allow-Origin: http://hello-world.example

Hello World!

Using XMLHttpRequest a client-side Web application on http://hello-world.example can access this resource as follows:
var client = new XMLHttpRequest();
client.open("GET", "http://example.com/hello")
client.onreadystatechange = function() { /* do something */ }
client.send()

It gets slightly more complicated if the resource author wants to be able to handle cross-origin requests using methods other than simple methods. In that case the author needs to reply to a preflight request that uses the OPTIONS method and then needs to handle the actual request that uses the desired method (DELETE in this example) and give an appropriate response. The response to the preflight request could have the following headers specified:
Access-Control-Allow-Origin: http://hello-world.example
Access-Control-Max-Age: 3628800
Access-Control-Allow-Methods: PUT, DELETE

The Access-Control-Max-Age header indicates how long the response can be cached, so that for subsequent requests, within the specified time, no preflight request has to be made. The Access-Control-Allow-Methods header indicates the methods that can be used in the actual request. The response to the actual request can simply contain this header:
Access-Control-Allow-Origin: http://hello-world.example

The complexity of invoking the additional preflight request is the task of the user agent. Using XMLHttpRequest again and assuming the application were hosted at http://calendar.example/app the author could use the following ECMAScript snippet:
function deleteItem(itemId, updateUI) {
  var client = new XMLHttpRequest()
  client.open("DELETE", "http://calendar.example/app")
  client.onload = updateUI
  client.onerror = updateUI
  client.onabort = updateUI
  client.send("id=" + itemId)
}


The CORS algorithm/protocol is clearly of a general nature, and has applicability in a number of settings already. The current integration adds it to XMLHttpRequest, EventSource, and cross-origin image fetches. The last part allows use of cross-origin images and textures on Canvas and WebGL. Adding the CORS security checks to other contexts will be done over time.

As part of this work we have done a little general upgrade of our XMLHttpRequest and we now support EventTarget. The modernisation continues, and we hope to round out our implementation of the XMLHttpRequest2 specification soon.

First Selenium Meetup in Oslo

Comments

graste Saturday, October 29, 2011 12:47:41 PM

Some good news. :-)

DitherDitherSky Sunday, October 30, 2011 10:53:30 AM

Yay!!

Kai OckendorfOckendorf Monday, October 31, 2011 8:20:07 AM

seems to be good news smile , but what does it mean exactly?? Faster browsing?

ouzowtfouzoWTF Monday, October 31, 2011 9:19:10 AM

Originally posted by Ockendorf:

seems to be good news , but what does it mean exactly?? Faster browsing?


Security.

Cutting Spoonhellspork Tuesday, November 1, 2011 12:21:46 AM

If I am to understand, this means that Verisign buttons and such cannot be embedded in a domain that does not have appropriate permissions? Something to do with trust badges etc, and prevent online comic pages from being aggregated by a different frontend that leeches bandwidth from the true source?

Is that what it's about? A mechanism to regulate content being re-embedded by a third party?

Guiot SidneyFirefly74940 Tuesday, November 1, 2011 2:21:29 AM

Yes, it's mean safer web site, and an easy to add a security to your web site
( if i'm understanding it in the right way )

Daned4n3 Wednesday, November 2, 2011 8:32:31 AM

This has nothing to do with safer browsing. It allows more web mashup capabilities.

CORS allows a website that uses javascript to connect to an external API (like flickr) to request and display data (like a flickr photo stream) on a page.

It's a way to allow AJAX sites to pull data from external domains that allow CORS using a plain XMLHttpRequest. Before CORS, XHR was limited to the same domain, so workarounds like JSONP were needed.

Cutting Spoonhellspork Thursday, November 3, 2011 3:10:06 AM

Right; special cross-domain media permissions. An authentication model for third-party sites to embed your content....or be blocked from doing so.

Michael A. Puls IIburnout426 Thursday, November 3, 2011 4:13:59 AM

This should also bring other parts of Opera's XHR support up to the level of other browsers.

Swapnil RustagiSwapnil99pro Thursday, November 3, 2011 9:37:36 AM

Originally posted by burnout426:

This should also bring other parts of Opera's XHR support up to the level of other browsers.


That means Opera 12 will support XMLHttpRequest version 2?

Michael A. Puls IIburnout426 Thursday, November 3, 2011 10:30:32 AM

That means Opera 12 will support XMLHttpRequest version 2?



Not sure. The CORS spec references XHR2 quite a bit. And, CORS is a required dependency of XHR2. So, if XHR2 is implemented, you get CORS. Not the other way around necessarily I guess. But, it would make sense at least.

Swapnil RustagiSwapnil99pro Thursday, November 3, 2011 11:18:46 AM

Originally posted by burnout426:

The CORS spec references XHR2 quite a bit. And, CORS is a required dependency of XHR2. So, if XHR2 is implemented, you get CORS.



Ah! I understand. Opera did not support both CORS and XHR2. Opera couldn't implement XHR2 since CORS support is prerequisite for XHR2 - something missing in the current builds of Opera.

So now Opera can actually start listening to feature requests for XHR 2 support - Am I right or I'm mistaken?

Michael A. Puls IIburnout426 Thursday, November 3, 2011 11:22:08 AM

That's a reasonable assumption at least.

Swapnil RustagiSwapnil99pro Sunday, November 6, 2011 4:07:39 AM

Will CORS support be added in Opera 11.60 (if it's ready) - or we will have to wait for Opera 12.00?

Hoshi Sepaihosh Sunday, November 13, 2011 7:39:49 PM

Looking forward support for CORS included so that I can use apps like altmetric within Opera.

http://altmetric.com/interface/explorer.html

Skimming through W3C spec on CORS I hope Opera implements Server-Sent Events (SSE) working draft as it is a more efficient method of sending updates to a browser to display near real-time data

Cutting Spoonhellspork Monday, November 14, 2011 12:13:05 AM

I believe Opera's SSE support is still entirely functional...websockets have been temporarily disabled but I expect them to come online again soon.

They are both important components for WebWorkers, CORS support and offline-capable web applications.

Charles McCathieNevilechaals Thursday, December 8, 2011 4:43:54 PM

@Dane, exactly.

Yes folks, we plan to support all of XHR2.

CORS support did not make it into Opera 11.60, but it is already in Opera 12 snapshots.

And we do implement Server Sent Events (we did the first implementation many years ago already).