smillerjones

Tools to help with syndication

Blog Post created by smillerjones on Dec 10, 2015

We’ve recently introduced some new features for managing Cross Origin Resource Sharing, or CORS, so I wanted to make sure we had an overview of what CORS is, how it works, and what it is we have implemented.

 

So what is CORS?

Put simply, CORS enables cross-domain resource sharing, an activity which is normally blocked by a web security measure called same-origin-policy. The goal is to stop websites from tampering with each other by restricting which domains can interact with an origin. For example, the policy lets JavaScript interact with resources on the same domain, but not with resources from other domains. This blocks what is known as cross-site scripting, and helps to protect a domain’s resources.

 

However, there are times when you may need to share resources across domains. CORS enables this with special HTTP headers that tell browsers exactly which resources can be shared.

 

How does CORS work?

When a browser executes a script that requests content from another domain, CORS ensures that information about the script’s origin is included with the request.

 

The second domain can then decide if the domain making the request is allowed to access the requested resource. When the second domain responds, it specifies whether the resource can be used by the requesting script, and the browser enforces the decision.

cors1.png

 

When would I use CORS?

If you are operating a single-origin domain, and have many public facing web applications and sites, CORS lets you store a single set of resources - images and videos for example - and to use them across all your properties.

 

CORS is particularly useful when you are syndicating content for use on other web properties which you do not directly control, and need to specify which content can be syndicated to each site.

 

What’s in the Limelight CORS implementation?

In providing options to manage CORS request and response headers, we wanted to ensure there was flexibility in how the Limelight CDN behaves, while still providing a very high level of cache efficiency.

 

We do this by keeping a single copy of your content in our caches, and then applying the correct CORS headers for each request we receive and each response we send back.

 

CORS headers can be specified for each CDN configuration you have with Limelight.  The following table describes the CORS headers that can be configured and the options you have to control them.

 

Header

Limelight Options

Origin

A request header that can be sent in CDN requests to your origin

A specific value can be set as the Origin header, which we will then use when we request content from  origin for cache fill.


If the client sends an Origin header in the original request, this setting will override the client-provided header.

Access-Control-Allow-Origin

A response header that can be sent in CDN responses to the client

Can be set to control whether Limelight sends the Access-Control-Allow-Origin (ACAO) header in the response to the client, and what the ACAO header value will be each time.


You can configure the service to behave in one of these ways:


  • Do not return an ACAO header. If the origin returns one, delete it from the response sent to the client.
  • Do nothing. If the origin returns this header, simply pass it through to the client.
  • Specify that the he ACAO header value will be "*".
  • Use the same value as that in the Origin: header, as the value of the ACAO response header.
Access-Control-Allow-CredentialsA response header that can be sent in CDN responses to the clientCan be set to control whether Limelight sends the Access-Control-Allow-Credentials (ACAC) header in the response to the client, and what the ACAC header value will be each time
You can configure the service to behave in one of these ways:
  • Do not return an ACAC header. If the origin returns one, delete it from the response sent to the client.Do nothing. If the origin returns this header, simply pass it through to the client.The header value will be set to  "true".Note: Per section 6.1 of the specification, if the ACAC header is "true", the ACAO header cannot be "*".
Access-Control-Expose-Headers A response header that can be sent in CDN responses to the clientCan be set to control whether we send the Access-Control-Expose-Headers (ACEH) header in the response to the client, and what the ACEH header value will be each time
The ACEH header is a is a comma separated list of header names.
Note: Per section 6 of the specification, the headers in this list should not be any of these simple headers:
  • Cache-Control
  • Content-Language
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma



What are the benefits of CORS?

CORS makes it easy for you to distribute content across many domains.  Limelight’s CORS options make it easy to manage these permissions while still retaining high cache efficiency when using our CDN.
Ultimately, you should limit the ability for others to compromise the security of your content online. CORS is a standard that was introduced to help guard against abuse and attack, by introducing a methodology for controllable, conditional access. 
CORS gives you more freedom to interconnect web services without exposing your resources unnecessarily, and makes it quick and easy to integrate web services with each other.

 

Resources

Take a look at these other sources of information about CORS:

 

Outcomes