Don’t use Access-Control-Allow-Origin

Access-Control-Allow-Origin is an HTTP header that allows servers to specify which hosts may send cross domain AJAX requests. Let’s say you were building an ad network, fetching content via AJAX. You would add this header to HTTP responses, once for each allowed domain. Clearly this is not scalable, but it’s a bad idea for other reasons as well.

Access-Control-Allow-Origin is tempting as a developer, because it allows you to build a lean multi-server set-up, without proxying requests. The real problem is entirely outside your control – corporate firewall proxies. The Watchguard Firewall is very aggressive by default, blocking content on a variety of heuristics. It removes HTTP headers it considers dangerous, including Access-Control-Allow-Origin, so a site built with this will never work for anyone inside their firewall.

The header directive is primarily for the client-side browser to enforce cross-site scripting policies. This protects end-users from malicious javascript. For example, Javascript might be inserted into a blog comment, and if incorrectly escaped, could run when a visitor loads the page, modifying content or redirecting the user to another domain. In spite of this, it is apparently too risky for some proxies, so be careful.

4 Replies to “Don’t use Access-Control-Allow-Origin”

  1. I use watchguard and websites I get this error in some websites:

    XMLHttpRequest cannot load [url removed]. Origin [url removed] is not allowed by Access-Control-Allow-Origin.

    How can I manage to open those websites?

Leave a Reply

Your email address will not be published. Required fields are marked *