index.html 98.9 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">

<html lang=en-US>
 <head>
  <title>Cross-Origin Resource Sharing</title>

  <style type="text/css">
   .example { margin-left:1em; padding-left:1em; border-left:double; color:#222; background:#fcfcfc }
   .example code strong { color:inherit; background:#ff0 }
   .note { margin-left:2em; font-weight:bold; font-style:italic; color:green }
   .note pre { font-weight:normal; font-style:normal }
   .warning { margin-left:2em; font-weight:bold; font-style:italic; color:red }
   p.warning::before { content:"Warning: " }
   pre > code, li > code { color:inherit; background:transparent }
   p.note::before { content:"Note: " }
   .XXX { padding:.5em; border:solid #f00 }
   p.XXX::before { content:"Issue: " }
   dl.switch { padding-left:2em }
   dl.switch > dt { text-indent:-1.5em }
   dl.switch > dt:before { content:'\21AA'; padding:0 0.5em 0 0; display:inline-block; width:1em; text-align:right; line-height:0.5em }
   em.ct { text-transform:lowercase; font-variant:small-caps; font-style:normal }
   dfn { font-weight:bold; font-style:normal }
   code { color:orangered; }
   code :link, code :visited { color:inherit }
   hr:not(.top) { display:block; background:none; border:none; padding:0; margin:2em 0; height:auto }
  </style>
  <link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel=stylesheet>

 <body>
  <div class=head>
   <p><a href="http://www.w3.org/"><img alt=W3C height=48
    src="http://www.w3.org/Icons/w3c_home" width=72></a></p>

   <h1 id=cors>Cross-Origin Resource Sharing</h1>

   <h2 class="no-num no-toc" id=w3c-doctype>W3C Working Draft 27 July 2010</h2>

   <dl>
    <dt>This Version:

    <dd><a
     href="http://www.w3.org/TR/2010/WD-cors-20100727/">http://www.w3.org/TR/2010/WD-cors-20100727/</a>

    <dt>Latest Version:

    <dd><a href="http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a>

    <dt>Latest Editor Draft:

    <dd><a
     href="http://dev.w3.org/2006/waf/access-control/">http://dev.w3.org/2006/waf/access-control/</a>

    <dt>Previous Versions:

    <dd><a
     href="http://www.w3.org/TR/2009/WD-cors-20090317/">http://www.w3.org/TR/2009/WD-cors-20090317/</a>

    <dd><a
     href="http://www.w3.org/TR/2008/WD-access-control-20080912/">http://www.w3.org/TR/2008/WD-access-control-20080912/</a>

    <dd><a
     href="http://www.w3.org/TR/2008/WD-access-control-20080214/">http://www.w3.org/TR/2008/WD-access-control-20080214/</a>

    <dd><a
     href="http://www.w3.org/TR/2007/WD-access-control-20071126/">http://www.w3.org/TR/2007/WD-access-control-20071126/</a>

    <dd><a
     href="http://www.w3.org/TR/2007/WD-access-control-20071001/">http://www.w3.org/TR/2007/WD-access-control-20071001/</a>

    <dd><a
     href="http://www.w3.org/TR/2007/WD-access-control-20070618/">http://www.w3.org/TR/2007/WD-access-control-20070618/</a>

    <dd><a
     href="http://www.w3.org/TR/2007/WD-access-control-20070215/">http://www.w3.org/TR/2007/WD-access-control-20070215/</a>

    <dd><a
     href="http://www.w3.org/TR/2006/WD-access-control-20060517/">http://www.w3.org/TR/2006/WD-access-control-20060517/</a>

    <dd><a
     href="http://www.w3.org/TR/2005/NOTE-access-control-20050613/">http://www.w3.org/TR/2005/NOTE-access-control-20050613/</a>

    <dt>Editor:

    <dd><a href="http://annevankesteren.nl/">Anne van Kesteren</a> (<a
     href="http://www.opera.com/">Opera Software ASA</a>) &lt;<a
     href="mailto:annevk@opera.com">annevk@opera.com</a>>
   </dl>

   <p class=copyright><a
    href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a>
    &copy; 2008 <a href="http://www.w3.org/"><acronym title="World Wide Web
    Consortium">W3C</acronym></a><sup>&reg;</sup> (<a
    href="http://www.csail.mit.edu/"><acronym title="Massachusetts Institute
    of Technology">MIT</acronym></a>, <a
    href="http://www.ercim.org/"><acronym title="European Research Consortium
    for Informatics and Mathematics">ERCIM</acronym></a>, <a
    href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a
    href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>,
    <a
    href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a>
    and <a
    href="http://www.w3.org/Consortium/Legal/copyright-documents">document
    use</a> rules apply.</p>
  </div>

  <hr>

  <h2 class="no-num no-toc" id=abstract>Abstract</h2>

  <p>This document defines a mechanism to enable client-side cross-origin
   requests. Specifications that enable an API to make cross-origin requests
   to resources can use the algorithms defined by this specification. If such
   an API is used on <code>http://example.org</code> resources, a resource on
   <code>http://hello-world.example</code> can opt in using the mechanism
   described by this specification (e.g., specifying
   <code>Access-Control-Allow-Origin: http://example.org</code> as response
   header), which would allow that resource to be fetched cross-origin from
   <code>http://example.org</code>.

  <h2 class="no-num no-toc" id=sotd>Status of this Document</h2>

  <p><em>This section describes the status of this document at the time of
   its publication. Other documents may supersede this document. A list of
   current W3C publications and the latest revision of this technical report
   can be found in the <a href="http://www.w3.org/TR/">W3C technical reports
   index</a> at http://www.w3.org/TR/.</em>

  <p>This is the 27 July 2010 W3C Working Draft of the "Cross-Origin Resource
   Sharing" document. It is expected that this document will progress along
   the W3C Recommendation track. This document is produced by the <a
   href="http://www.w3.org/2008/webapps/">Web Applications</a> (WebApps)
   Working Group. The WebApps Working Group is part of the <a
   href="http://www.w3.org/2006/rwc/Activity">Rich Web Clients Activity</a>
   in the W3C <a href="http://www.w3.org/Interaction/">Interaction
   Domain</a>.

  <p>This draft was also known as "Access Control for Cross-Site Requests",
   "Enabling Read Access for Web Resources", and "Authorizing Read Access to
   XML Content Using the &lt;?access-control?> Processing Instruction 1.0" in
   reverse chronological order.

  <p>Please send comments to the WebApps Working Group's public mailing list
   <a
   href="mailto:public-webapps@w3.org?subject=%5Bcors%5D">public-webapps@w3.org</a>
   with <kbd title="">[cors]</kbd> at the start of the subject line. <a
   href="http://lists.w3.org/Archives/Public/public-webapps/">Archives</a> of
   this list are available. See also <a href="http://www.w3.org/Mail/">W3C
   mailing list and archive usage guidelines</a>.

  <p>This document was produced by a group operating under the <a
   href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February
   2004 W3C Patent Policy</a>. W3C maintains a <a
   href="http://www.w3.org/2004/01/pp-impl/42538/status"
   rel=disclosure>public list of any patent disclosures</a> made in
   connection with the deliverables of the group; that page also includes
   instructions for disclosing a patent. An individual who has actual
   knowledge of a patent which the individual believes contains <a
   href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
   Claim(s)</a> must disclose the information in accordance with <a
   href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
   6 of the W3C Patent Policy</a>.

  <p>Publication as a Working Draft does not imply endorsement by the
   <acronym title="World Wide Web Consortium">W3C</acronym> Membership. This
   is a draft document and may be updated, replaced or obsoleted by other
   documents at any time. It is inappropriate to cite this document as other
   than work in progress.

  <h2 class="no-num no-toc" id=toc>Table of Contents</h2>
  <!--begin-toc-->

  <ul class=toc>
   <li><a href="#introduction"><span class=secno>1. </span>Introduction</a>

   <li><a href="#conformance"><span class=secno>2. </span>Conformance
    Criteria</a>
    <ul class=toc>
     <li><a href="#terminology"><span class=secno>2.1. </span>Terminology</a>
      
    </ul>

   <li><a href="#security"><span class=secno>3. </span>Security
    Considerations</a>

   <li><a href="#syntax"><span class=secno>4. </span>Syntax</a>
    <ul class=toc>
     <li><a href="#access-control-allow-origin-response-hea"><span
      class=secno>4.1. </span><code
      title="">Access-Control-Allow-Origin</code> Response Header</a>

     <li><a href="#access-control-allow-credentials-respons"><span
      class=secno>4.2. </span><code
      title="">Access-Control-Allow-Credentials</code> Response Header</a>

     <li><a href="#access-control-expose-headers-response-h"><span
      class=secno>4.3. </span><code
      title="">Access-Control-Expose-Headers</code> Response Header</a>

     <li><a href="#access-control-max-age-response-header"><span
      class=secno>4.4. </span><code title="">Access-Control-Max-Age</code>
      Response Header</a>

     <li><a href="#access-control-allow-methods-response-he"><span
      class=secno>4.5. </span><code
      title="">Access-Control-Allow-Methods</code> Response Header</a>

     <li><a href="#access-control-allow-headers-response-he"><span
      class=secno>4.6. </span><code
      title="">Access-Control-Allow-Headers</code> Response Header</a>

     <li><a href="#origin-request-header"><span class=secno>4.7. </span><code
      title="">Origin</code> Request Header</a>

     <li><a href="#access-control-request-method-request-he"><span
      class=secno>4.8. </span><code
      title="">Access-Control-Request-Method</code> Request Header</a>

     <li><a href="#access-control-request-headers-request-h"><span
      class=secno>4.9. </span><code
      title="">Access-Control-Request-Headers</code> Request Header</a>
    </ul>

   <li><a href="#resource-processing-model"><span class=secno>5.
    </span>Resource Processing Model</a>
    <ul class=toc>
     <li><a href="#resource-requests"><span class=secno>5.1. </span>Simple
      Cross-Origin Request, Actual Request, and Redirects</a>

     <li><a href="#resource-preflight-requests"><span class=secno>5.2.
      </span>Preflight Request</a>

     <li><a href="#resource-security"><span class=secno>5.3.
      </span>Security</a>
    </ul>

   <li><a href="#user-agent-processing-model"><span class=secno>6.
    </span>User Agent Processing Model</a>
    <ul class=toc>
     <li><a href="#cross-origin-request0"><span class=secno>6.1.
      </span>Cross-Origin Request</a>
      <ul class=toc>
       <li><a href="#handling-a-response-to-a-cross-origin-re"><span
        class=secno>6.1.1. </span>Handling a Response to a Cross-Origin
        Request</a>

       <li><a href="#cross-origin-request-status0"><span class=secno>6.1.2.
        </span>Cross-Origin Request Status</a>

       <li><a href="#source-origin0"><span class=secno>6.1.3. </span>Source
        Origin</a>

       <li><a href="#simple-cross-origin-request0"><span class=secno>6.1.4.
        </span>Simple Cross-Origin Request</a>

       <li><a href="#cross-origin-request-with-preflight0"><span
        class=secno>6.1.5. </span>Cross-Origin Request with Preflight</a>

       <li><a href="#preflight-result-cache0"><span class=secno>6.1.6.
        </span>Preflight Result Cache</a>

       <li><a href="#generic-cross-origin-request-algorithms"><span
        class=secno>6.1.7. </span>Generic Cross-Origin Request Algorithms</a>
        
      </ul>

     <li><a href="#resource-sharing-check0"><span class=secno>6.2.
      </span>Resource Sharing Check</a>

     <li><a href="#user-agent-security"><span class=secno>6.3.
      </span>Security</a>
    </ul>

   <li><a href="#cors-api-specification-advice"><span class=secno>7.
    </span>CORS API Specification Advice</a>
    <ul class=toc>
     <li><a href="#cors-api-specifiation-request"><span class=secno>7.1.
      </span>Constructing a Cross-Origin Request</a>

     <li><a href="#cors-api-specification-redirect"><span class=secno>7.2.
      </span>Dealing with Same Origin to Cross-Origin Redirects</a>

     <li><a href="#cors-api-specification-response"><span class=secno>7.3.
      </span>Dealing with the Cross-Origin Request Status</a>

     <li><a href="#cors-api-specification-security"><span class=secno>7.4.
      </span>Security</a>
    </ul>

   <li class=no-num><a href="#requirements">Requirements</a>

   <li class=no-num><a href="#use-cases">Use Cases</a>

   <li class=no-num><a href="#design-decision-faq">Design Decision FAQ</a>

   <li class=no-num><a href="#references">References</a>

   <li class=no-num><a href="#acknowledgments">Acknowledgments</a>
  </ul>
  <!--end-toc-->

  <h2 id=introduction><span class=secno>1. </span>Introduction</h2>

  <p><em>This section is non-normative.</em>

  <p>User agents commonly apply same-origin restrictions to network requests.
   These restrictions prevent a client-side Web application running from one
   origin from obtaining data retrieved from another origin, and also limit
   unsafe HTTP requests that can be automatically launched toward
   destinations that differ from the running application's origin.

  <p>In user agents that follow this pattern, network requests typically use
   ambient authentication and session management information, including HTTP
   authentication and cookie information.

  <p>This specification extends this model in several ways:

  <ul>
   <li>
    <p>A response can include an <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header, with the origin of where the request originated from as the
     value, to allow access to the resource's contents.</p>

    <p>The user agent validates that the value and origin of where the
     request originated match.</p>

   <li>
    <p>User agents can discover via a <a href="#preflight-request">preflight
     request</a> whether a cross-origin resource is prepared to accept
     requests, using a non-<a href="#simple-method">simple method</a>, from a
     given origin.</p>

    <p>This is again validated by the user agent.</p>

   <li>
    <p>Server-side applications are enabled to discover that an HTTP request
     was deemed a cross-origin request by the user agent, through the <a
     href="#http-origin"><code title=http-origin>Origin</code></a> header.</p>

    <p>This extension enables server-side applications to enforce limitations
     (e.g. returning nothing) on the cross-origin requests that they are
     willing to service.</p>
  </ul>

  <p>This specification is a building block for other specifications,
   so-called CORS API specifications, which will define the precise model by
   which this specification is used. Among others, such specifications are
   likely to include Server-Sent Events, XBL 2.0, and XMLHttpRequest Level 2.
   <a href="#ref-sse">[SSE]</a> <a href="#ref-xbl">[XBL]</a> <a
   href="#ref-xhr">[XHR]</a>

  <p>The design of this specification introduces is based on <a
   href="#requirements">requirements</a> and <a href="#use-cases">use
   cases</a>, both included as appendix. A FAQ describing the <a
   href="#design-decision-faq">design decisions</a> is also available.

  <div class=example>
   <p>If a resource author has a simple text resource residing at
    <code>http://example.com/hello</code> which contains the string "Hello
    World!" and would like <code>http://hello-world.example</code> to be able
    to access it, the response combined with a header introduced by this
    specification could look as follows:</p>

   <pre><code>Access-Control-Allow-Origin: http://hello-world.example

Hello World!</code></pre>

   <p>Using <code>XMLHttpRequest</code> a client-side Web application on
    <code>http://hello-world.example</code> can access this resource as
    follows:</p>

   <pre><code>var client = new XMLHttpRequest();
client.open("GET", "http://example.com/hello")
client.onreadystatechange = function() { /* do something */ }
client.send()</code></pre>

   <p>It gets slightly more complicated if the resource author wants to be
    able to handle cross-origin requests using methods other than <a
    href="#simple-method" title="simple method">simple methods</a>. In that
    case the author needs to reply to a preflight request that uses the
    <code>OPTIONS</code> method and then needs to handle the actual request
    that uses the desired method (<code>DELETE</code> in this example) and
    give an appropriate response. The response to the preflight request could
    have the following headers specified:</p>

   <pre><code>Access-Control-Allow-Origin: http://hello-world.example
Access-Control-Max-Age: 3628800
Access-Control-Allow-Methods: PUT, DELETE</code></pre>

   <p>The <a
    href="#http-access-control-max-age"><code>Access-Control-Max-Age</code></a>
    header indicates how long the response can be cached, so that for
    subsequent requests, within the specified time, no preflight request has
    to be made. The <a
    href="#http-access-control-allow-methods"><code>Access-Control-Allow-Methods</code></a>
    header indicates the methods that can be used in the actual request. The
    response to the actual request can simply contain this header:</p>

   <pre><code>Access-Control-Allow-Origin: http://hello-world.example</code></pre>

   <p>The complexity of invoking the additional preflight request is the task
    of the user agent. Using <code>XMLHttpRequest</code> again and assuming
    the application were hosted at <code>http://calendar.example/app</code>
    the author could use the following ECMAScript snippet:</p>

   <pre><code>function deleteItem(itemId, updateUI) {
  var client = new XMLHttpRequest()
  client.open("DELETE", "http://calendar.example/app")
  client.onload = updateUI
  client.onerror = updateUI
  client.onabort = updateUI
  client.send("id=" + itemId)
}</code></pre>

   <p class=note><code>XMLHttpRequest</code> Level 2 includes support for <a
    href="#cross-origin-request" title="cross-origin request">cross-origin
    requests</a>.</p>
  </div>

  <h2 id=conformance><span class=secno>2. </span>Conformance Criteria</h2>

  <p>This specification is written for resource authors and user agents. It
   includes advice for specifications that define APIs that use the <a
   href="#cross-origin-request">cross-origin request</a> algorithm defined in
   this specification &mdash; CORS API specifications &mdash; and the general
   <a href="#security">security considerations</a> section includes some
   advice for client-side Web application authors.

  <p>As well as sections and appendices marked as non-normative, all
   diagrams, examples, and notes in this specification are non-normative.
   Everything else in this specification is normative.

  <p>In this specification, The words <em class=ct>must</em> and <em
   class=ct>may</em> are to be interpreted as described in RFC 2119. <a
   href="#ref-ct">[RFC2119]</a>

  <p>Requirements phrased in the imperative as part of algorithms (e.g.
   "terminate the algorithm") are to be interpreted with the meaning of the
   key word (e.g. <em class=ct>must</em>) used in introducing the algorithm.

  <p>A conformant resource is one that implements all the requirements listed
   in this specification that are applicable to resources.

  <p>A conformant user agent is one that implements all the requirements
   listed in this specification that are applicable to user agents.

  <p>User agents and resource authors <em class=ct>may</em> employ any
   algorithm to implement this specification, so long as the end result is
   indistinguishable from the result that would be obtained by the
   specification's algorithms.

  <h3 id=terminology><span class=secno>2.1. </span>Terminology</h3>

  <p>Terminology is generally defined throughout the specification. However,
   the few definitions that did not really fit anywhere else are defined here
   instead.</p>
  <!-- These definitions are copies of those in HTML5.
       XXX should they be in a separate document? -->

  <p>Comparing two strings in a <dfn id=case-sensitive>case-sensitive</dfn>
   manner means comparing them exactly, codepoint for codepoint.

  <p>Comparing two strings in an <dfn id=ascii-case-insensitive>ASCII
   case-insensitive</dfn> manner means comparing them exactly, codepoint for
   codepoint, except that the characters in the range U+0041 LATIN CAPITAL
   LETTER A to U+005A LATIN CAPITAL LETTER Z and the corresponding characters
   in the range U+0061 LATIN SMALL LETTER A to U+007A LATIN SMALL LETTER Z
   are considered to also match.

  <p><dfn id=converted-to-ascii-lowercase title="converted to ASCII
   lowercase">Converting a string to ASCII lowercase</dfn> means replacing
   all characters in the range U+0041 LATIN CAPITAL LETTER A to U+005A LATIN
   CAPITAL LETTER Z with the corresponding characters in the range U+0061
   LATIN SMALL LETTER A to U+007A LATIN SMALL LETTER Z).

  <p>The term <dfn id=user-credentials>user credentials</dfn> for the
   purposes of this specification means cookies, HTTP authentication, and
   client-side SSL certificates. Specifically it does not refer to proxy
   authentication or the <a href="#http-origin"><code
   title=http-origin>Origin</code></a> header. <a
   href="#ref-cookies">[COOKIES]</a> <!-- XXX ref? -->

  <p>The term <dfn id=fetch>fetch</dfn> is defined by HTML5. <a
   href="#ref-html5">[HTML5]</a>

  <p>The terms <dfn id=origin>origin</dfn>, <dfn id=origin-ascii>ASCII
   serialization of an origin</dfn>, and <dfn id=same-origin>same
   origin</dfn> are defined by The HTTP Origin Header. <a
   href="#ref-origin">[ORIGIN]</a>

  <p>The term <dfn id=cross-origin>cross-origin</dfn> is used to mean non <a
   href="#same-origin">same origin</a>.

  <p>The productions <dfn
   id=rfc2616-delta-seconds><code>delta-seconds</code></dfn>, <dfn
   id=rfc2616-method><code>Method</code></dfn>, and <dfn
   id=rfc2616-field-name><code>field-name</code></dfn> are defined in
   HTTP/1.1. <a href="#ref-http">[HTTP]</a>

  <p><dfn id=url>URL</dfn> and <dfn id=userinfo><code>userinfo</code></dfn>
   are defined by RFC 3986. <a href="#ref-uri">[RFC3986]</a>

  <p class=XXX>When the current ongoing URL debate is over this specification
   will be updated to use the accepted terminology. For now it will remain
   using URL as to not flip-flop every other month.

  <p>A <var title="">method</var> is said to be a <dfn
   id=simple-method>simple method</dfn> if it is a <a
   href="#case-sensitive">case-sensitive</a> match for one of the following:

  <ul>
   <li><code>GET</code>

   <li><code>HEAD</code>

   <li><code>POST</code>
  </ul>

  <p>A <var title="">header</var> is said to be a <dfn
   id=simple-header>simple header</dfn> if the header field name is an <a
   href="#ascii-case-insensitive">ASCII case-insensitive</a> match for
   <code>Accept</code>, <code>Accept-Language</code>,
   <code>Content-Language</code>, or <code>Last-Event-ID</code>, or if it is
   an <a href="#ascii-case-insensitive">ASCII case-insensitive</a> match for
   <code>Content-Type</code> and the header field value media type (excluding
   parameters) is an <a href="#ascii-case-insensitive">ASCII
   case-insensitive</a> match for
   <code>application/x-www-form-urlencoded</code>,
   <code>multipart/form-data</code>, or <code>text/plain</code>.</p>
  <!-- XXX there is an email complaining about the parameters -->

  <p>A <var title="">header</var> is said to be a <dfn
   id=simple-response-header>simple response header</dfn> if the header field
   name is an <a href="#ascii-case-insensitive">ASCII case-insensitive</a>
   match for one of the following:

  <ul>
   <li><code>Cache-Control</code>

   <li><code>Content-Language</code>

   <li><code>Content-Type</code>

   <li><code>Expires</code>

   <li><code>Last-Modified</code>

   <li><code>Pragma</code>
  </ul>

  <p>When <dfn id=header-parsing title="header parsing">parsing a
   header</dfn> the header <em class=ct>must</em> be parsed per the
   corresponding ABNF production in the <a href="#syntax">syntax</a> section.
   If the header does not match the production it is said that <dfn
   id=header-parsing-failed>header parsing failed</dfn>.

  <h2 id=security><span class=secno>3. </span>Security Considerations</h2>

  <p><em>This section is non-normative.</em>

  <p>Security requirements and considerations are listed throughout this
   specification. This section lists advice that did not fit anywhere else.

  <hr>

  <p>Authors of client-side Web applications are strongly encouraged to
   validate content retrieved from a <a href="#cross-origin">cross-origin</a>
   resource as it might be harmful.

  <p>Authors of client-side Web applications using a URL of the type
   <code>people.example.org/~<var>author-name</var>/</code> are to be aware
   that only <a href="#cross-origin">cross-origin</a> security is provided
   and that therefore using a distinct <a href="#origin">origin</a> rather
   than distinct path is vital for secure client-side Web applications.

  <h2 id=syntax><span class=secno>4. </span>Syntax</h2>

  <p>This section defines the syntax of the new headers this specification
   introduces. It also provides a short description of the function of each
   header.

  <p>The <a href="#resource-processing-model">resource processing model</a>
   section details how resources are to use these headers in a response.
   Likewise, the <a href="#user-agent-processing-model">user agent processing
   model</a> section details how user agents are to use these headers.

  <p>The ABNF syntax used in this section is from HTTP/1.1. <a
   href="#ref-http">[HTTP]</a>

  <p class=note>HTTP/1.1 is used as ABNF basis to ensure that the new headers
   have equivalent parsing rules to those introduced in that specification.

  <p class=XXX>HTTP/1.1 currently does not make leading OWS implied in header
   value definitions so please assume it is for now.

  <h3 id=access-control-allow-origin-response-hea><span class=secno>4.1.
   </span><code title="">Access-Control-Allow-Origin</code> Response Header</h3>

  <p>The <dfn
   id=http-access-control-allow-origin><code>Access-Control-Allow-Origin</code></dfn>
   header indicates whether a resource can be shared based by returning the
   value of the <a href="#http-origin"><code
   title=http-origin>Origin</code></a> request header in the response. ABNF:

  <pre>Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"</pre>

  <p><code>origin-list-or-null</code> is defined by The Origin HTTP Header
   specification <a href="#ref-origin">[ORIGIN]</a>.

  <h3 id=access-control-allow-credentials-respons><span class=secno>4.2.
   </span><code title="">Access-Control-Allow-Credentials</code> Response
   Header</h3>

  <p>The <dfn
   id=http-access-control-allow-credentials><code>Access-Control-Allow-Credentials</code></dfn>
   header indicates whether the response to request can be exposed when the
   <var title="">credentials flag</var> is true. When part of the response to
   a <a href="#preflight-request">preflight request</a> it indicates that the
   <a href="#actual-request">actual request</a> can be made with <a
   href="#user-credentials">user credentials</a>. ABNF:

  <pre>Access-Control-Allow-Credentials: "Access-Control-Allow-Credentials" ":" true
                            true: %x74.72.75.65 ; "true", case-sensitive</pre>

  <h3 id=access-control-expose-headers-response-h><span class=secno>4.3.
   </span><code title="">Access-Control-Expose-Headers</code> Response Header</h3>

  <p>The <dfn
   id=http-access-control-expose-headers><code>Access-Control-Expose-Headers</code></dfn>
   header indicates which headers are safe to expose to the API of a CORS API
   specification. ABNF:

  <pre>Access-Control-Expose-Headers = "Access-Control-Expose-Headers" ":" #<a href="#rfc2616-field-name">field-name</a></pre>

  <h3 id=access-control-max-age-response-header><span class=secno>4.4.
   </span><code title="">Access-Control-Max-Age</code> Response Header</h3>

  <p>The <dfn
   id=http-access-control-max-age><code>Access-Control-Max-Age</code></dfn>
   header indicates how long the results of a <a
   href="#preflight-request">preflight request</a> can be cached in a <a
   href="#preflight-result-cache">preflight result cache</a>. ABNF:

  <pre>Access-Control-Max-Age = "Access-Control-Max-Age" ":" <a href="#rfc2616-delta-seconds">delta-seconds</a></pre>

  <h3 id=access-control-allow-methods-response-he><span class=secno>4.5.
   </span><code title="">Access-Control-Allow-Methods</code> Response Header</h3>

  <p>The <dfn
   id=http-access-control-allow-methods><code>Access-Control-Allow-Methods</code></dfn>
   header indicates, as part of the response to a <a
   href="#preflight-request">preflight request</a>, which methods can be used
   during the <a href="#actual-request">actual request</a>. ABNF:

  <pre>Access-Control-Allow-Methods: "Access-Control-Allow-Methods" ":" #<a href="#rfc2616-method">Method</a></pre>

  <h3 id=access-control-allow-headers-response-he><span class=secno>4.6.
   </span><code title="">Access-Control-Allow-Headers</code> Response Header</h3>

  <p>The <dfn
   id=http-access-control-allow-headers><code>Access-Control-Allow-Headers</code></dfn>
   header indicates, as part of the response to a <a
   href="#preflight-request">preflight request</a>, which header field names
   can be used during the <a href="#actual-request">actual request</a>. ABNF:

  <pre>Access-Control-Allow-Headers: "Access-Control-Allow-Headers" ":" #<a href="#rfc2616-field-name">field-name</a></pre>

  <h3 id=origin-request-header><span class=secno>4.7. </span><code
   title="">Origin</code> Request Header</h3>

  <p>The <dfn id=http-origin title=http-origin><code>Origin</code></dfn>
   header indicates where the <a href="#cross-origin-request">cross-origin
   request</a> or <a href="#preflight-request">preflight request</a>
   originates from. <a href="#ref-origin">[ORIGIN]</a>

  <h3 id=access-control-request-method-request-he><span class=secno>4.8.
   </span><code title="">Access-Control-Request-Method</code> Request Header</h3>

  <p>The <dfn
   id=http-access-control-request-method><code>Access-Control-Request-Method</code></dfn>
   header indicates which method will be used in the <a
   href="#actual-request">actual request</a> as part of the <a
   href="#preflight-request">preflight request</a>. ABNF:

  <pre>Access-Control-Request-Method: "Access-Control-Request-Method" ":" <a href="#rfc2616-method">Method</a></pre>

  <h3 id=access-control-request-headers-request-h><span class=secno>4.9.
   </span><code title="">Access-Control-Request-Headers</code> Request Header</h3>

  <p>The <dfn
   id=http-access-control-request-headers><code>Access-Control-Request-Headers</code></dfn>
   header indicates which headers will be used in the <a
   href="#actual-request">actual request</a> as part of the <a
   href="#preflight-request">preflight request</a>. ABNF:

  <pre>Access-Control-Request-Headers: "Access-Control-Request-Headers" ":" #<a href="#rfc2616-field-name">field-name</a></pre>

  <h2 id=resource-processing-model><span class=secno>5. </span>Resource
   Processing Model</h2>
  <!-- XXX
  <p><em>This section only applies to servers.</em></p>
  -->

  <p>This section describes the processing models that resources have to
   implement. Each type of request a resource might have to deal with is
   described in its own subsection.

  <p>The resource sharing policy described by this specification is bound to
   a particular resource. For the purposes of this section each resource is
   bound to the following:

  <ul>
   <li>
    <p>A <dfn id=list-of-origins>list of origins</dfn> consisting of zero or
     more <a href="#origin" title=origin>origins</a> that are allowed access
     to the resource.</p>

    <p class=note>This can include the <a href="#origin">origin</a> of the
     resource itself though be aware that requests to <a
     href="#cross-origin">cross-origin</a> resources can be redirected back
     to the resource.</p>

   <li>
    <p>A <dfn id=list-of-methods>list of methods</dfn> consisting of zero or
     more methods that are supported by the resource.

   <li>
    <p>A <dfn id=list-of-headers>list of headers</dfn> consisting of zero or
     more header field names that are supported by the resource.

   <li>
    <p>A <dfn id=supports-credentials>supports credentials</dfn> flag that
     indicates whether the resource supports <a href="#user-credentials">user
     credentials</a> in the request. It is true when the resource does and
     false otherwise.
  </ul>

  <h3 id=resource-requests><span class=secno>5.1. </span>Simple Cross-Origin
   Request, Actual Request, and Redirects</h3>

  <p>In response to a <a href="#simple-cross-origin-request">simple
   cross-origin request</a> or <a href="#actual-request">actual request</a>
   the resource indicates whether or not to share the response.

  <p>If the resource has been relocated, it indicates whether to share its
   new <a href="#url">URL</a>.

  <p>Resources <em class=ct>must</em> use the following set of steps to
   determine which additional headers to use in the response:

  <ol>
   <li>
    <p>If the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header is not present terminate this
     set of steps. The request is outside the scope of this specification.

   <li>
    <p>Split the value of the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header on the U+0020 SPACE character
     and if any of the resulting tokens is not a <a
     href="#case-sensitive">case-sensitive</a> match for any of the values in
     <a href="#list-of-origins">list of origins</a> do not set any additional
     headers and terminate this set of steps.</p>

    <p class=note>Always matching is acceptable since the <a
     href="#list-of-origins">list of origins</a> can be unbounded.</p>

   <li>
    <p>If the resource <a href="#supports-credentials">supports
     credentials</a> add a single <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header, with the value of the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header as value, and add a single <a
     href="#http-access-control-allow-credentials"><code>Access-Control-Allow-Credentials</code></a>
     header with the literal string "<code>true</code>" as value.</p>

    <p>Otherwise, add a single <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header, with either the value of the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header or the literal string
     "<code>*</code>" as value.</p>

   <li>
    <p>If the resource wants to expose more than just <a
     href="#simple-response-header" title="simple response header">simple
     response headers</a> to the API of the CORS API specification add one or
     more <a
     href="#http-access-control-expose-headers"><code>Access-Control-Expose-Headers</code></a>
     headers, with as values the filed names of the additional headers to
     expose.
  </ol>

  <p class=note>By not adding the appropriate headers resource can also clear
   the <a href="#preflight-result-cache">preflight result cache</a> of all
   entries where <a href="#cache-origin" title=cache-origin>origin</a> is a
   <a href="#case-sensitive">case-sensitive</a> match for the value of the <a
   href="#http-origin"><code title=http-origin>Origin</code></a> header and
   <a href="#cache-url" title=cache-url>url</a> is a <a
   href="#case-sensitive">case-sensitive</a> match for the <a
   href="#url">URL</a> of the resource.

  <h3 id=resource-preflight-requests><span class=secno>5.2. </span>Preflight
   Request</h3>

  <p>In response to a <a href="#preflight-request">preflight request</a> the
   resource indicates which methods and headers (other than <a
   href="#simple-method" title="simple method">simple methods</a> and <a
   href="#simple-header" title="simple header">simple headers</a>) it is
   willing to handle and whether it <a href="#supports-credentials">supports
   credentials</a>.

  <p>Resources <em class=ct>must</em> use the following set of steps to
   determine which additional headers to use in the response:

  <ol>
   <li>
    <p>If the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header is not present terminate this
     set of steps. The request is outside the scope of this specification.

   <li>
    <p>If the value of the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header is not a <a
     href="#case-sensitive">case-sensitive</a> match for any of the values in
     <a href="#list-of-origins">list of origins</a> do not set any additional
     headers and terminate this set of steps.</p>

    <p class=note>Always matching is acceptable since the <a
     href="#list-of-origins">list of origins</a> can be unbounded.</p>

   <li>
    <p>Let <var title="">method</var> be the value as result of <a
     href="#header-parsing" title="header parsing">parsing</a> the <a
     href="#http-access-control-request-method"><code>Access-Control-Request-Method</code></a>
     header.</p>

    <p>If there is no <a
     href="#http-access-control-request-method"><code>Access-Control-Request-Method</code></a>
     header or if <a href="#header-parsing-failed" title="header parsing
     failed">parsing failed</a>, do not set any additional headers and
     terminate this set of steps. The request is outside the scope of this
     specification.</p>

   <li>
    <p>Let <var title="">header field-names</var> be the values as result of
     <a href="#header-parsing" title="header parsing">parsing</a> the <a
     href="#http-access-control-request-headers"><code>Access-Control-Request-Headers</code></a>
     headers.</p>

    <p>If there are no <a
     href="#http-access-control-request-headers"><code>Access-Control-Request-Headers</code></a>
     headers let <var title="">header field-names</var> be the empty list.</p>

    <p>If <a href="#header-parsing-failed" title="header parsing
     failed">parsing failed</a> do not set any additional headers and
     terminate this set of steps. The request is outside the scope of this
     specification.</p>

   <li>
    <p>If <var title="">method</var> is not a <a
     href="#case-sensitive">case-sensitive</a> match for any of the values in
     <a href="#list-of-methods">list of methods</a> do not set any additional
     headers and terminate this set of steps.</p>

    <p class=note>Always matching is acceptable since the <a
     href="#list-of-methods">list of methods</a> can be unbounded.</p>

   <li>
    <p>If any of the <var title="">header field-names</var> is not a <a
     href="#ascii-case-insensitive">ASCII case-insensitive</a> match for any
     of the values in <a href="#list-of-headers">list of headers</a> do not
     set any additional headers and terminate this set of steps.</p>

    <p class=note>Always matching is acceptable since the <a
     href="#list-of-headers">list of headers</a> can be unbounded.</p>

   <li>
    <p>If the resource <a href="#supports-credentials">supports
     credentials</a> add a single <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header, with the value of the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header as value, and add a single <a
     href="#http-access-control-allow-credentials"><code>Access-Control-Allow-Credentials</code></a>
     header with the <a href="#case-sensitive">case-sensitive</a> string
     "<code>true</code>" as value.</p>

    <p>Otherwise, add a single <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header, with either the value of the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header or the string
     "<code>*</code>" as value.</p>

   <li>
    <p>Optionally add a single <a
     href="#http-access-control-max-age"><code>Access-Control-Max-Age</code></a>
     header with as value the amount of seconds the user agent is allowed to
     cache the result of the request.
   </li>
   <!-- there is no limit -->

   <li>
    <p>If <var title="">method</var> is a <a href="#simple-method">simple
     method</a> this step <em class=ct>may</em> be skipped.</p>

    <p>Add one or more <a
     href="#http-access-control-allow-methods"><code>Access-Control-Allow-Methods</code></a>
     headers consisting of (a subset of) the <a href="#list-of-methods">list
     of methods</a>.</p>

    <p class=note>If a method is a <a href="#simple-method">simple method</a>
     it does not need to be listed, but this is not prohibited.</p>

    <p class=note>Since the <a href="#list-of-methods">list of methods</a>
     can be unbounded simply returning <var title="">method</var> can be
     enough.</p>

   <li>
    <p>If each of the <var title="">headers</var> is a <a
     href="#simple-header">simple header</a> this step <em class=ct>may</em>
     be skipped.</p>

    <p>Add one or more <a
     href="#http-access-control-allow-headers"><code>Access-Control-Allow-Headers</code></a>
     headers consisting of (a subset of) the <a href="#list-of-headers">list
     of headers</a>.</p>

    <p class=note>If a header field name is a <a href="#simple-header">simple
     header</a> it does not need to be listed, but this is not prohibited.</p>

    <p class=note>Since the <a href="#list-of-headers">list of headers</a>
     can be unbounded simply returning <var title="">headers</var> can be
     enough.</p>
  </ol>

  <h3 id=resource-security><span class=secno>5.3. </span>Security</h3>

  <p><em>This section is non-normative.</em>

  <p>Resource authors are strongly encouraged to ensure that requests using
   safe methods, e.g. <code>GET</code> or <code>OPTIONS</code>, have no side
   effects so potential attackers cannot modify the user's data easily. If
   resources are set up like this attackers would effectively have to be on
   the <a href="#list-of-origins">list of origins</a> to do harm.

  <p>In addition to checking the <a href="#http-origin"><code
   title=http-origin>Origin</code></a> header, resource authors are strongly
   encouraged to also check the <code>Host</code> header. That is, make sure
   that the host name provided by that header matches the host name of the
   server on which the resource resides. This will provide protection against
   DNS rebinding attacks.

  <p>To provide integrity protection of resource sharing policy statements
   usage of SSL/TLS is encouraged.

  <h2 id=user-agent-processing-model><span class=secno>6. </span>User Agent
   Processing Model</h2>
  <!-- XXX
  <p><em>This section only applies to user agents.</em></p>
  -->

  <p>This section describes the processing models that user agents have to
   implement.

  <p>The processing models in this sections need to be referenced by a CORS
   API specification that defines when the algorithm is invoked and how the
   return values are to be handled. The processing models are not suitable
   for standalone use.

  <h3 id=cross-origin-request0><span class=secno>6.1. </span>Cross-Origin
   Request</h3>

  <p>The <dfn id=cross-origin-request>cross-origin request</dfn> algorithm
   takes the following parameters:

  <dl>
   <dt><dfn id=request-url>request URL</dfn>

   <dd>
    <p>The <a href="#url">URL</a> to be <a href="#fetch"
     title=fetch>fetched</a>.</p>

    <p class=note>The <a href="#request-url">request URL</a> is modified in
     face of redirects.</p>

   <dt><dfn id=request-method>request method</dfn>

   <dd>
    <p>The method for the request.

   <dt><dfn id=custom-request-headers>custom request headers</dfn>

   <dd>
    <p>A list of custom headers for the request.

   <dt><dfn id=request-entity-body>request entity body</dfn>

   <dd>
    <p>The entity body for the request.

   <dt><dfn id=source-origin>source origin</dfn>

   <dd>
    <p>The <a href="#origin">origin</a> of the request.</p>

    <p class=note>Due to the specifics of some APIs this cannot be defined in
     a generic way and therefore it has to be provided as argument.</p>

   <dt><dfn id=credentials-flag>credentials flag</dfn>

   <dd>
    <p>True when <a href="#user-credentials">user credentials</a> are to be
     included in the request. False when they are to be excluded in the
     request and when cookies are to be ignored in its response.

   <dt><dfn id=force-preflight-flag>force preflight flag</dfn>

   <dd>
    <p>True when a <a href="#preflight-request">preflight request</a> is to
     be forced. False otherwise.
  </dl>

  <p>The <a href="#cross-origin-request">cross-origin request</a> algorithm
   can be used by CORS API specifications who wish to allow cross-origin
   requests for the network APIs they define.

  <p class=note>CORS API specifications are free to limit the abilities of a
   <a href="#cross-origin-request">cross-origin request</a>. E.g., the <var
   title="">credentials flag</var> could always be false.

  <p>When the <a href="#cross-origin-request">cross-origin request</a>
   algorithm is invoked, these steps <em class=ct>must</em> be followed:

  <ol>
   <li>
    <p>If for some reason the user agent does not want to make the request
     terminate this algorithm and set the <a
     href="#cross-origin-request-status">cross-origin request status</a> to
     <i>network error</i>.</p>

    <p class=note>E.g. the <a href="#request-url">request URL</a> could have
     been blacklisted by the user in some fashion.</p>

   <li>
    <p>If the <a href="#force-preflight-flag">force preflight flag</a> is
     false and the following conditions are all true, follow the <a
     href="#simple-cross-origin-request">simple cross-origin request</a>
     algorithm:

    <ul>
     <li>
      <p>The <a href="#request-method">request method</a> is a <a
       href="#simple-method">simple method</a>.

     <li>
      <p>Each of the <a href="#custom-request-headers">custom request
       headers</a> is a <a href="#simple-header">simple header</a> or <a
       href="#custom-request-headers">custom request headers</a> is empty.
    </ul>

   <li>
    <p>Otherwise, follow the <a
     href="#cross-origin-request-with-preflight">cross-origin request with
     preflight</a> algorithm.
  </ol>

  <p class=note>Cross-origin requests using a method that is <a
   href="#simple-method" title="simple method">simple</a> with <a
   href="#custom-request-headers">custom request headers</a> that are not <a
   href="#simple-header" title="simple header">simple</a> will have a <a
   href="#preflight-request">preflight request</a> to ensure that the
   resource can handle those headers. (Similarly to requests using a method
   that is not a <a href="#simple-method">simple method</a>.)

  <h4 id=handling-a-response-to-a-cross-origin-re><span class=secno>6.1.1.
   </span>Handling a Response to a Cross-Origin Request</h4>

  <p>User agents <em class=ct>must</em> filter out all response headers other
   than those that are a <a href="#simple-response-header">simple response
   header</a> or of which the field name is an <a
   href="#ascii-case-insensitive">ASCII case-insensitive</a> match for one of
   the values of the <a
   href="#http-access-control-expose-headers"><code>Access-Control-Expose-Headers</code></a>
   headers (if any), before exposing response headers to APIs defined in CORS
   API specifications.

  <p class=note>E.g. the <code>getResponseHeader()</code> method of
   <code>XMLHttpRequest</code> will therefore not expose any header not
   indicated above.

  <hr>

  <p>If the <a href="#credentials-flag">credentials flag</a> is false user
   agents <em class=ct>must</em> ignore any attempts by the response (i.e.
   via the <code title=http-set-cookie>Set-Cookie</code> header) to set
   cookies. <a href="#ref-cookies">[COOKIES]</a>

  <h4 id=cross-origin-request-status0><span class=secno>6.1.2.
   </span>Cross-Origin Request Status</h4>

  <p>Each <a href="#cross-origin-request">cross-origin request</a> has an
   associated <dfn id=cross-origin-request-status>cross-origin request
   status</dfn> that CORS API specifications that enable an API to make <a
   href="#cross-origin-request" title="cross-origin request">cross-origin
   requests</a> can hook into. It can take at most two distinct values over
   the course of a <a href="#cross-origin-request">cross-origin request</a>.
   The values are:

  <dl>
   <dt><i>preflight complete</i>

   <dd>The user agent is about to make the <a href="#actual-request">actual
    request</a>.

   <dt><i>success</i>

   <dd>The resource can be shared.

   <dt><i>abort error</i>

   <dd>The user aborted the request.

   <dt><i>network error</i>

   <dd>A DNS error, TLS negotation failure, or other type of network error
    occured. <span class=note>This does not include HTTP responses that
    indicate some type of error, such as HTTP status code 410.</span></dd>
   <!-- shared with XMLHttpRequest -->
  </dl>

  <h4 id=source-origin0><span class=secno>6.1.3. </span>Source Origin</h4>

  <p>The <a href="#source-origin">source origin</a> is the initial origin
   that user agents <em class=ct>must</em> use for the <a
   href="#http-origin"><code title=http-origin>Origin</code></a> header. In
   case of redirects the user agents <em class=ct>must</em> follow the
   requirements set forth in the specification for that header.

  <h4 id=simple-cross-origin-request0><span class=secno>6.1.4. </span>Simple
   Cross-Origin Request</h4>

  <p>The steps below describe what user agents <em class=ct>must</em> do for
   a <dfn id=simple-cross-origin-request>simple cross-origin request</dfn>:

  <ol>
   <li>
    <p>Apply the <a href="#make-a-request-steps">make a request steps</a> and
     observe the <i>request rules</i> below while making the request.</p>

    <dl class=switch>
     <dt>If the response has an HTTP status code of 301, 302, 303, or 307

     <dd>
      <p>Apply the <a href="#redirect-steps">redirect steps</a>.

     <dt>If the end user cancels the request

     <dd>
      <p>Apply the <a href="#abort-steps">abort steps</a>.

     <dt>If there is a network error

     <dd>
      <p>In case of DNS errors, TLS negotiation failure, or other type of
       network errors, apply the <a href="#network-error-steps">network error
       steps</a>. Do not request any kind of end user interaction.</p>

      <p class=note>This does not include HTTP responses that indicate some
       type of error, such as HTTP status code 410.</p>

     <dt>Otherwise

     <dd>
      <p>Perform a <a href="#resource-sharing-check">resource sharing
       check</a>. If it returns fail, apply the <a
       href="#network-error-steps">network error steps</a>. Otherwise, if it
       returns pass, terminate this algorithm and set the <a
       href="#cross-origin-request-status">cross-origin request status</a> to
       <i>success</i>. Do not actually terminate the request.
    </dl>
  </ol>

  <h4 id=cross-origin-request-with-preflight0><span class=secno>6.1.5.
   </span>Cross-Origin Request with Preflight</h4>

  <p>To protect resources against cross-origin access with methods that have
   side effects an <a href="#preflight-request">preflight request</a> is made
   to ensure that the resource is ok with the request. The result of this
   request is stored in an <a href="#preflight-result-cache">preflight result
   cache</a>.

  <p>The steps below describe what user agents <em class=ct>must</em> do for
   a <dfn id=cross-origin-request-with-preflight>cross-origin request with
   preflight</dfn>. This is a request to a non same-origin URL that first
   need to be authorized using either a <a
   href="#preflight-result-cache">preflight result cache</a> entry or a <a
   href="#preflight-request">preflight request</a>.

  <ol>
   <li>
    <p>Go to the next step if the following conditions are true:

    <ul>
     <li>
      <p>For <a href="#request-method">request method</a> there either is a
       <a href="#preflight-result-cache-method-match">method cache match</a>
       or it is a <a href="#simple-method">simple method</a>.</p>

     <li>
      <p>For every header of <a href="#custom-request-headers">custom request
       headers</a> there either is a <a
       href="#preflight-result-cache-header-match">header cache match</a> for
       the field name or it is a <a href="#simple-header">simple header</a>.</p>
    </ul>
    <!-- the preflight request -->
    <p>Otherwise, make a <dfn id=preflight-request>preflight request</dfn>.
     <a href="#fetch">Fetch</a> the <a href="#request-url">request URL</a>
     from <i title="">origin</i> <a href="#source-origin">source origin</a>
     with the <i title="">manual redirect flag</i> set, using the method
     <code>OPTIONS</code>, and with the following additional constraints:</p>
    <!-- XXX use of origin above is not correct -->
    <ul>
     <li>
      <p>Include an <a
       href="#http-access-control-request-method"><code>Access-Control-Request-Method</code></a>
       header with as header field value the <a
       href="#request-method">request method</a> (even when that is a <a
       href="#simple-method">simple method</a>).

     <li>
      <p>If <a href="#custom-request-headers">custom request headers</a> is
       not empty include an <a
       href="#http-access-control-request-headers"><code>Access-Control-Request-Headers</code></a>
       header with as header field value a comma-separated list of the header
       field names from <a href="#custom-request-headers">custom request
       headers</a> in lexicographical order, each <a
       href="#converted-to-ascii-lowercase">converted to ASCII lowercase</a>
       (even when one or more are a <a href="#simple-header">simple
       header</a>).

     <li>
      <p>Exclude the <a href="#custom-request-headers">custom request
       headers</a>.

     <li>
      <p>Exclude <a href="#user-credentials">user credentials</a>.

     <li>
      <p>Exclude the <a href="#request-entity-body">request entity body</a>.
    </ul>

    <p>The following <i>request rules</i> are to be observed while making
     this request:</p>

    <dl class=switch>
     <dt>If the end user cancels the request

     <dd>
      <p>Apply the <a href="#abort-steps">abort steps</a>.

     <dt>If the response has an HTTP status code of 301, 302, 303, or 307

     <dd>
      <p>Apply the <a href="#network-error-steps">network error steps</a>.</p>

      <p class=note>The <a href="#cache-and-network-error-steps">cache and
       network error steps</a> are not used here as this is about an actual
       network error.</p>

     <dt>If there is a network error

     <dd>
      <p>In case of DNS errors, TLS negotiation failure, or other type of
       network errors, apply the <a href="#network-error-steps">network error
       steps</a>. Do not request any kind of end user interaction.</p>

      <p class=note>This does not include HTTP responses that indicate some
       type of error, such as HTTP status code 410.</p>

      <p class=note>The <a href="#cache-and-network-error-steps">cache and
       network error steps</a> are not used here as this is about an actual
       network error.</p>

     <dt>Otherwise

     <dd>
      <ol>
       <li>
        <p>If the <a href="#resource-sharing-check">resource sharing
         check</a> returns fail, apply the <a
         href="#cache-and-network-error-steps">cache and network error
         steps</a>.

       <li>
        <p>Let <var title="">methods</var> be the empty list.

       <li>
        <p>If there are one or more <a
         href="#http-access-control-allow-methods"><code>Access-Control-Allow-Methods</code></a>
         headers let <var title="">methods</var> be the values as result of
         <a href="#header-parsing" title="header parsing">parsing</a> the
         headers.</p>

        <p>If <a href="#header-parsing-failed" title="header parsing
         failed">parsing failed</a> apply the <a
         href="#cache-and-network-error-steps">cache and network error
         steps</a>.</p>

       <li>
        <p>Let <var title="">headers</var> be the empty list.

       <li>
        <p>If there are one or more <a
         href="#http-access-control-allow-headers"><code>Access-Control-Allow-Headers</code></a>
         headers let <var title="">headers</var> be the values as result of
         <a href="#header-parsing" title="header parsing">parsing</a> the
         headers.</p>

        <p>If <a href="#header-parsing-failed" title="header parsing
         failed">parsing failed</a> apply the <a
         href="#cache-and-network-error-steps">cache and network error
         steps</a>.</p>

       <li>
        <p>If <a href="#request-method">request method</a> is not a <a
         href="#case-sensitive">case-sensitive</a> match for any method in
         <var title="">methods</var> and is not a <a
         href="#simple-method">simple method</a>, apply the <a
         href="#cache-and-network-error-steps">cache and network error
         steps</a>.

       <li>
        <p>If the field name of each header in <a
         href="#custom-request-headers">custom request headers</a> is not an
         <a href="#ascii-case-insensitive">ASCII case-insensitive</a> match
         for one of the header field names in <var title="">headers</var> and
         the header is not a <a href="#simple-header">simple header</a>,
         apply the <a href="#cache-and-network-error-steps">cache and network
         error steps</a>.

       <li>
        <p>If for some reason the user agent is unable to provide a <a
         href="#preflight-result-cache">preflight result cache</a> (e.g.
         because of limited disk space) go to the next step in the overall
         set of steps (i.e. the <a href="#actual-request">actual
         request</a>).

       <li>
        <p>If there is a single <a
         href="#http-access-control-max-age"><code>Access-Control-Max-Age</code></a>
         header, <a href="#header-parsing" title="header parsing">parse</a>
         it and let <var title="">max-age</var> be the resulting value.</p>

        <p>If there is no such header, there is more than one such header, or
         <a href="#header-parsing-failed" title="header parsing
         failed">parsing failed</a>, let <var title="">max-age</var> be a
         value at the discretion of the user agent (zero is allowed).</p>

        <p>If the user agent imposes a limit on the <a href="#cache-max-age"
         title=cache-max-age>max-age</a> field value and <var
         title="">max-age</var> is greater than that limit let <var
         title="">max-age</var> be the limit.</p>

       <li>
        <p>For each method in <var title="">methods</var> for which there is
         a <a href="#preflight-result-cache-method-match">method cache
         match</a> set the <a href="#cache-max-age"
         title=cache-max-age>max-age</a> field value of the matching entry to
         <var title="">max-age</var>.</p>

        <p>For each method in <var title="">methods</var> for which there is
         <em>no</em> <a href="#preflight-result-cache-method-match">method
         cache match</a> create a new entry in the <a
         href="#preflight-result-cache">preflight result cache</a> with the
         various fields set as follows:</p>

        <dl>
         <dt><a href="#cache-origin" title=cache-origin>origin</a>

         <dd>The <a href="#source-origin">source origin</a>.

         <dt><a href="#cache-url" title=cache-url>url</a>

         <dd>The <a href="#request-url">request URL</a>.

         <dt><a href="#cache-max-age" title=cache-max-age>max-age</a>

         <dd>The <var title="">max-age</var>.

         <dt><a href="#cache-credentials"
          title=cache-credentials>credentials</a>

         <dd>The <a href="#credentials-flag">credentials flag</a>.

         <dt><a href="#cache-method" title=cache-method>method</a>

         <dd>The given method.

         <dt><a href="#cache-header" title=cache-header>header</a>

         <dd>Empty.
        </dl>

       <li>
        <p>For each header in <var title="">headers</var> for which there is
         a <a href="#preflight-result-cache-header-match">header cache
         match</a> set the <a href="#cache-max-age"
         title=cache-max-age>max-age</a> field value of the matching entry to
         <var title="">max-age</var>.</p>

        <p>For each header in <var title="">headers</var> for which there is
         <em>no</em> <a href="#preflight-result-cache-header-match">header
         cache match</a> create a new entry in the <a
         href="#preflight-result-cache">preflight result cache</a> with the
         various fields set as follows:</p>

        <dl>
         <dt><a href="#cache-origin" title=cache-origin>origin</a>

         <dd>The <span>source chain</span>.

         <dt><a href="#cache-url" title=cache-url>url</a>

         <dd>The <a href="#request-url">request URL</a>.

         <dt><a href="#cache-max-age" title=cache-max-age>max-age</a>

         <dd>The <var title="">max-age</var>.

         <dt><a href="#cache-credentials"
          title=cache-credentials>credentials</a>

         <dd>The <a href="#credentials-flag">credentials flag</a>.

         <dt><a href="#cache-method" title=cache-method>method</a>

         <dd>Empty.

         <dt><a href="#cache-header" title=cache-header>header</a>

         <dd>The given header.
        </dl>
      </ol>
    </dl>

   <li>
    <p>Set the <a href="#cross-origin-request-status">cross-origin request
     status</a> to <i>preflight complete</i>.
   </li>
   <!-- the actual request -->

   <li>
    <p>This is the <dfn id=actual-request>actual request</dfn>. Apply the <a
     href="#make-a-request-steps">make a request steps</a> and observe the
     <i>request rules</i> below while making the request.</p>

    <dl class=switch>
     <dt>If the response has an HTTP status code of 301, 302, 303, or 307

     <dd>
      <p>Apply the <a href="#cache-and-network-error-steps">cache and network
       error steps</a>.

     <dt>If the end user cancels the request

     <dd>
      <p>Apply the <a href="#abort-steps">abort steps</a>.

     <dt>If there is a network error

     <dd>
      <p>In case of DNS errors, TLS negotiation failure, or other type of
       network errors, apply the <a href="#network-error-steps">network error
       steps</a>. Do not request any kind of end user interaction.</p>

      <p class=note>This does not include HTTP responses that indicate some
       type of error, such as HTTP status code 410.</p>

     <dt>Otherwise

     <dd>
      <p>Perform a <a href="#resource-sharing-check">resource sharing
       check</a>. If it returns fail, apply the <a
       href="#cache-and-network-error-steps">cache and network error
       steps</a>. Otherwise, if it returns pass, terminate this algorithm and
       set the <a href="#cross-origin-request-status">cross-origin request
       status</a> to <i>success</i>. Do not actually terminate the request.
    </dl>
  </ol>

  <div class=example>
   <p>Consider the following scenario:</p>

   <ol>
    <li>
     <p>The user agent gets the request from an API, such as
      <code>XMLHttpRequest</code>, to perform a cross-origin request using
      the custom <code>XMODIFY</code> method from <a
      href="#source-origin">source origin</a> <code>http://example.org</code>
      to <code>http://blog.example/entries/hello-world</code>.

    <li>
     <p>The user agent performs a <a href="#preflight-request">preflight
      request</a> using the <code>OPTIONS</code> method to
      <code>http://blog.example/entries/hello-world</code> and includes the
      <a href="#http-origin"><code title=http-origin>Origin</code></a> and <a
      href="#http-access-control-request-method"><code>Access-Control-Request-Method</code></a>
      headers with the appropriate values.

    <li>
     <p>The response to that request includes the following headers:</p>

     <pre>Access-Control-Allow-Origin: http://example.org
Access-Control-Max-Age: 2520
Access-Control-Allow-Methods: PUT, DELETE, XMODIFY</pre>

    <li>
     <p>The user agent then performs the desired request using the
      <code>XMODIFY</code> method to
      <code>http://blog.example/entries/hello-world</code> as this was
      allowed by the resource. In addition, for the coming forty-two minutes,
      no <a href="#preflight-request">preflight request</a> will be needed.
   </ol>
  </div>

  <h4 id=preflight-result-cache0><span class=secno>6.1.6. </span>Preflight
   Result Cache</h4>

  <p>As mentioned, a <a
   href="#cross-origin-request-with-preflight">cross-origin request with
   preflight</a> uses a <dfn id=preflight-result-cache>preflight result
   cache</dfn>. This cache consists of a set of entries. Each entry consists
   of the following fields:

  <dl>
   <dt><dfn id=cache-origin title=cache-origin>origin</dfn>

   <dd>Holds the <a href="#source-origin">source origin</a>.

   <dt><dfn id=cache-url title=cache-url>url</dfn>

   <dd>Holds the <a href="#request-url">request URL</a>.

   <dt><dfn id=cache-max-age title=cache-max-age>max-age</dfn>

   <dd>Holds the <a
    href="#http-access-control-max-age"><code>Access-Control-Max-Age</code></a>
    header value.

   <dt><dfn id=cache-credentials title=cache-credentials>credentials</dfn>

   <dd>Holds the value of the <a href="#credentials-flag">credentials
    flag</a>.

   <dt><dfn id=cache-method title=cache-method>method</dfn>

   <dd>Empty if <a href="#cache-header" title=cache-header>header</a> is not
    empty; otherwise one of the values from the <a
    href="#http-access-control-allow-methods"><code>Access-Control-Allow-Methods</code></a>
    headers.

   <dt><dfn id=cache-header title=cache-header>header</dfn>

   <dd>Empty if <a href="#cache-method" title=cache-method>method</a> is not
    empty; otherwise one of the values from the <a
    href="#http-access-control-allow-headers"><code>Access-Control-Allow-Headers</code></a>
    headers.
  </dl>

  <p class=note>To be clear, the <a href="#cache-method"
   title=cache-method>method</a> and <a href="#cache-header"
   title=cache-header>header</a> fields are mutually exclusive. When one of
   them is empty the other is non-empty.

  <p class=note>The primary key of an entry consists of all fields excluding
   the <a href="#cache-max-age" title=cache-max-age>max-age</a> field.

  <p>Entries <em class=ct>must</em> be removed when the time specified in the
   <a href="#cache-max-age" title=cache-max-age>max-age</a> field has passed
   since storing the entry. Entries can also be added and removed per the
   algorithms below. They are added and removed in such a way that there can
   never be duplicate items in the cache.

  <p>User agents <em class=ct>may</em> clear cache entries before the time
   specified in the <a href="#cache-max-age" title=cache-max-age>max-age</a>
   field has passed.

  <p class=note>Although this effectively makes the <a
   href="#preflight-result-cache">preflight result cache</a> optional, user
   agents are strongly encouraged to support it.

  <h4 id=generic-cross-origin-request-algorithms><span class=secno>6.1.7.
   </span>Generic Cross-Origin Request Algorithms</h4>

  <p>The variables used in the generic set of steps are part of the
   algorithms that invoke these set of steps.

  <hr>

  <p>Whenever the <dfn id=make-a-request-steps>make a request steps</dfn> are
   applied, <a href="#fetch">fetch</a> the <a href="#request-url">request
   URL</a> from <i title="">origin</i> <a href="#source-origin">source
   origin</a> with the <i title="">manual redirect flag</i> set, using method
   <a href="#request-method">request method</a>, entity body <a
   href="#request-entity-body">request entity body</a>, including the <a
   href="#custom-request-headers">custom request headers</a>, and include <a
   href="#user-credentials">user credentials</a> if the <a
   href="#credentials-flag">credentials flag</a> is true.</p>
  <!-- XXX is the use of origin above correct? -->

  <p>Whenever the <dfn id=redirect-steps>redirect steps</dfn> are applied,
   follow this set of steps:

  <ol>
   <li>
    <p>Let <a href="#request-url">request URL</a> be the <a
     href="#url">URL</a> conveyed by the <code>Location</code> header in the
     redirect response.
   </li>
   <!-- XXX should be resolved URL per HTML5 algorithms ... -->

   <li>
    <p>If the <a href="#request-url">request URL</a> &lt;scheme> is not
     supported, infinite loop precautions are violated, or the user agent
     does not wish to make the new request for some other reason, apply the
     <a href="#network-error-steps">network error steps</a> and terminate
     this set of steps.

   <li>
    <p>If the <a href="#request-url">request URL</a> contains the <a
     href="#userinfo"><code>userinfo</code></a> production apply the <a
     href="#network-error-steps">network error steps</a>.

   <li>
    <p>If the <a href="#resource-sharing-check">resource sharing check</a>
     for the current resource returns fail, apply the <span>generic network
     steps</span>.
   </li>
   <!--This prevents intranet data leakage.-->

   <li>
    <p>Otherwise, transparently follow the redirect while observing the set
     of <i>request rules</i>.
   </li>
   <!-- XXX or should this use the make a request steps? -->
  </ol>

  <p class=note>A redirect to a URL that is <a href="#same-origin">same
   origin</a> with the <a href="#source-origin">source origin</a> is handled
   identically to any other URL.

  <p class=note>A redirect to a URL that is <a
   href="#cross-origin">cross-origin</a> has consequences for the value of
   the <a href="#http-origin"><code title=http-origin>Origin</code></a>
   header as detailed by its specification.

  <hr>

  <p>Whenever the <dfn id=abort-steps>abort steps</dfn> are applied,
   terminate the algorithm that invoked this set of steps and set the <a
   href="#cross-origin-request-status">cross-origin request status</a> to
   <i>abort error</i>.

  <hr>

  <p>Whenever the <dfn id=network-error-steps>network error steps</dfn> are
   applied, terminate the algorithm that invoked this set of steps and set
   the <a href="#cross-origin-request-status">cross-origin request status</a>
   to <i>network error</i>.

  <p>Whenever the <dfn id=cache-and-network-error-steps>cache and network
   error steps</dfn> are applied, follow this set of steps:

  <ol>
   <li>
    <p>Remove the entries in the <a href="#preflight-result-cache">preflight
     result cache</a> where <a href="#cache-origin"
     title=cache-origin>origin</a> field value is a <a
     href="#case-sensitive">case-sensitive</a> match for <a
     href="#source-origin">source origin</a> and <a href="#cache-url"
     title=cache-url>url</a> field value is a <a
     href="#case-sensitive">case-sensitive</a> match for <a
     href="#request-url">request URL</a>.

   <li>
    <p>Apply the <a href="#network-error-steps">network error steps</a>
     acting as if the algorithm that invoked the <a
     href="#cache-and-network-error-steps">cache and network error steps</a>
     invoked the <a href="#network-error-steps">network error steps</a>
     instead.</p>
  </ol>

  <hr>

  <p>There is a <dfn id=preflight-result-cache-match>cache match</dfn> when
   there is a cache entry in the <a href="#preflight-result-cache">preflight
   result cache</a> for which the following is true:

  <ul>
   <li>
    <p>The <a href="#cache-origin" title=cache-origin>origin</a> field value
     is a <a href="#case-sensitive">case-sensitive</a> match for <a
     href="#source-origin">source origin</a>.

   <li>
    <p>The <a href="#cache-url" title=cache-url>url</a> field value is a <a
     href="#case-sensitive">case-sensitive</a> match for <a
     href="#request-url">request URL</a>.

   <li>
    <p>The <a href="#cache-credentials"
     title=cache-credentials>credentials</a> field value is equal to the <a
     href="#credentials-flag">credentials flag</a>.
  </ul>

  <p>There is a <dfn id=preflight-result-cache-method-match>method cache
   match</dfn> when there is a cache entry for which there is a <a
   href="#preflight-result-cache-match">cache match</a> and the <a
   href="#cache-method" title=cache-method>method</a> field value is a <a
   href="#case-sensitive">case-sensitive</a> match for the given method.

  <p>There is a <dfn id=preflight-result-cache-header-match>header cache
   match</dfn> when there is a cache entry for which there is a <a
   href="#preflight-result-cache-match">cache match</a> and the <a
   href="#cache-header" title=cache-header>header</a> field value is an <a
   href="#ascii-case-insensitive">ASCII case-insensitive</a> match for the
   given header field name.

  <h3 id=resource-sharing-check0><span class=secno>6.2. </span>Resource
   Sharing Check</h3>

  <p>The <dfn id=resource-sharing-check>resource sharing check</dfn>
   algorithm for a given resource is as follows:

  <ol>
   <li>
    <p>If the response includes zero or more than one <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header values return fail and terminate this algorithm.

   <li>
    <p>If the <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header value is the literal "<code>*</code>" character and the <a
     href="#credentials-flag">credentials flag</a> is false return pass and
     terminate this algorithm.

   <li>
    <p>If the value of <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     is not a <a href="#case-sensitive">case-sensitive</a> match for the
     value of the <a href="#http-origin"><code
     title=http-origin>Origin</code></a> header as defined by its
     specification return fail and terminate this algorithm.

   <li>
    <p>If the <a href="#credentials-flag">credentials flag</a> is true and
     the response includes zero or more than one <a
     href="#http-access-control-allow-credentials"><code>Access-Control-Allow-Credentials</code></a>
     header values return fail and terminate this algorithm.

   <li>
    <p>If the <a href="#credentials-flag">credentials flag</a> is true and
     the <a
     href="#http-access-control-allow-credentials"><code>Access-Control-Allow-Credentials</code></a>
     header value is not a <a href="#case-sensitive">case-sensitive</a> match
     for "<code>true</code>" return fail and terminate this algorithm.

   <li>
    <p>Return pass.
  </ol>

  <p class=note>The above algorithm also functions when the <a
   href="#origin-ascii">ASCII serialization of an origin</a> is the string
   "<code>null</code>".

  <h3 id=user-agent-security><span class=secno>6.3. </span>Security</h3>

  <p><em>This section is non-normative.</em>

  <p>At various places user agents are allowed to take additional
   precautions. E.g. user agents are allowed to not store cache items, remove
   cache items before they reached their <a href="#cache-max-age"
   title=cache-max-age>max-age</a>, and not connect to certain <a href="#url"
   title=URL>URLs</a>.

  <p>User agents are encouraged to impose a limit on <a href="#cache-max-age"
   title=cache-max-age>max-age</a> so items cannot stay in the <a
   href="#preflight-result-cache">preflight result cache</a> for unreasonable
   amounts of time.

  <p>As indicated as the first step of the <a
   href="#cross-origin-request">cross-origin request</a> algorithm and in the
   <a href="#redirect-steps">redirect steps</a> algorithm user agents are
   allowed to terminate the algorithm and not make a request. This could be
   done because e.g.:

  <ul>
   <li>The server on which the resource resides is blacklisted.

   <li>The server on which the resource resides is known to be part of an
    intranet.

   <li>The URL &lt;scheme> is not supported.

   <li><code>https</code> to <code>http</code> is not allowed.

   <li><code>https</code> to <code>https</code> is not allowed because e.g.
    the certificates differ.
  </ul>

  <p>User agents are encouraged to apply security decisions on a generic
   level and not just to the resource sharing policy. E.g. if a user agent
   disallows requests from the <code>https</code> to the <code>http</code>
   scheme for a <a href="#cross-origin-request">cross-origin request</a> it
   is encouraged to do the same for the HTML <code>img</code> element.

  <h2 id=cors-api-specification-advice><span class=secno>7. </span>CORS API
   Specification Advice</h2>

  <p><em>This section is non-normative.</em>

  <p>This specification defines a resource sharing policy that cannot be
   implemented without an API that utilizes it. The specification that
   defines the API that uses the policy is a CORS API specification.

  <p>In case a CORS API specification defines multiple APIs that utilize the
   policy the advice is to be considered separately for each API.

  <h3 id=cors-api-specifiation-request><span class=secno>7.1.
   </span>Constructing a Cross-Origin Request</h3>

  <p>For all requests APIs can make that are <a
   href="#cross-origin">cross-origin</a> for which the resource sharing
   policy in this specification is supposed to apply, the CORS API
   specification needs to reference the <a
   href="#cross-origin-request">cross-origin request</a> algorithm and set
   the following input variables appropriately: <a
   href="#request-url">request URL</a>, <a href="#request-method">request
   method</a>, <a href="#custom-request-headers">custom request headers</a>,
   <a href="#request-entity-body">request entity body</a>, <a
   href="#source-origin">source origin</a>, <a
   href="#credentials-flag">credentials flag</a>, and the <a
   href="#force-preflight-flag">force preflight flag</a>.

  <p>CORS API specifications are allowed to let these input variables be
   controlled by the API, but can also set fixed values.

  <p class=example>A CORS API specification for an API that only allows
   requests using the <code>GET</code> method might set <a
   href="#request-method">request method</a> to <code>GET</code>, <a
   href="#request-entity-body">request entity body</a> to empty, and <a
   href="#source-origin">source origin</a> to some appropriate value and let
   the other variables be controlled by the API.

  <h3 id=cors-api-specification-redirect><span class=secno>7.2.
   </span>Dealing with Same Origin to Cross-Origin Redirects</h3>

  <p>Since browsers are based on a <a href="#same-origin">same origin</a>
   security model and the policy outlined in this specification is intended
   for APIs used in browsers, it is expected that APIs that will utilize this
   policy will have to handle a <a href="#same-origin">same origin</a>
   request that results in a redirect that is <a
   href="#cross-origin">cross-origin</a> in a special way.

  <p>For APIs that transparently handle redirects CORS API specifications are
   encouraged to handle this scenario transparently as well by "catching" the
   redirect and invoking the <a href="#cross-origin-request">cross-origin
   request</a> algorithm on the (<a href="#cross-origin">cross-origin</a>)
   redirect URL.

  <p class=note>The <code>XMLHttpRequest</code> Level 2 specification does
   this.

  <h3 id=cors-api-specification-response><span class=secno>7.3.
   </span>Dealing with the Cross-Origin Request Status</h3>

  <p>While a <a href="#cross-origin-request">cross-origin request</a> is
   progressing its associated <a
   href="#cross-origin-request-status">cross-origin request status</a> is
   updated. Depending on the value of the <a
   href="#cross-origin-request-status">cross-origin request status</a> the
   API is to react in a different way:

  <dl>
   <dt><i>preflight complete</i>

   <dd>
    <p>Features that can only be safely exposed after a <a
     href="#preflight-request">preflight request</a> can now be enabled.</p>

    <p class=note>E.g. upload progress events in <code>XMLHttpRequest</code>.</p>

   <dt><i>success</i>

   <dd>
    <p>The contents of the response can be shared with the API, including
     headers that have not been filtered out.</p>

    <p class=note>The request itself can still be progressing. I.e. the <a
     href="#cross-origin-request-status">cross-origin request status</a>
     value does not indicate that the request has completed.</p>

   <dt><i>abort error</i>

   <dd>
    <p>Handle analogous to requests where the user aborted the request. This
     can be handled equivalently to how <i>network error</i> is handled.
     Ensure not to reveal any further information about the request.

   <dt><i>network error</i>

   <dd>
    <p>Handle analogous to requests where some kind of error occured. Ensure
     not the reveal any further information about the request.
  </dl>

  <h3 id=cors-api-specification-security><span class=secno>7.4.
   </span>Security</h3>

  <p>Similarly to <a href="#same-origin">same origin</a> requests, CORS API
   specifications are encouraged to properly limit headers, methods, and <a
   href="#user-credentials">user credentials</a> the author can set and get
   for requests that are <a href="#cross-origin">cross-origin</a>.

  <p class=note>Reviewing the XMLHttpRequest Level 2 specification provides a
   good start for the kind of limitations that are to be imposed.

  <p>CORS API specifications also need to ensure not to reveal anything until
   the <a href="#cross-origin-request-status">cross-origin request status</a>
   is set to <i>preflight complete</i> or <i>success</i> to prevent e.g. port
   scanning.

  <p class=note>In XMLHttpRequest Level 2 progress events are dispatched only
   after the <a href="#cross-origin-request-status">cross-origin request
   status</a> is set to <i>success</i>. Upload progress events are only
   dispatched once the <a href="#cross-origin-request-status">cross-origin
   request status</a> is <i>preflight complete</i>.

  <h2 class=no-num id=requirements>Requirements</h2>

  <p><em>This appendix is non-normative.</em>

  <p>This appendix outlines the various requirements that influenced the
   design of the Cross-Origin Resource Sharing specification.

  <ol>
   <li>
    <p>Must not introduce attack vectors to servers that are only protected
     only by a firewall.

   <li>
    <p>The solution should not introduce additional attack vectors against
     services that are protected only by way of firewalls. This requirement
     addresses "intranet" style services authorize any requests that can be
     sent to the service.</p>

    <p>Note that this requirement does not preclude <code>HEAD</code>,
     <code>OPTIONS</code>, or <code>GET</code> requests (even with ambient
     authentication and session information).</p>

   <li>
    <p>It should not be possible to perform cross-origin non-safe operations,
     i.e., HTTP operations except for <code>GET</code>, <code>HEAD</code>,
     and <code>OPTIONS</code>, without an authorization check being
     performed.

   <li>
    <p>Should try to prevent dictionary-based, distributed, brute-force
     attacks that try to get login accounts to 3<sup>rd</sup> party servers,
     to the extent possible.

   <li>
    <p>Should properly enforce security policy in the face of commonly
     deployed proxy servers sitting between the user agent and any of servers
     with whom the user agent is communicating.

   <li>
    <p>Should not allow loading and exposing of resources from 3<sup>rd</sup>
     party servers without explicit consent of these servers as such
     resources can contain sensitive information.

   <li>
    <p>Must not require content authors or site maintainers to implement new
     or additional security protections to preserve their existing level of
     security protection.

   <li>
    <p>Must be deployable to IIS and Apache without requiring actions by the
     server administrator in a configuration where the user can upload static
     files, run serverside scripts (such as PHP, ASP, and CGI), control
     headers, and control authorization, but only do this for URLs under a
     given set of subdirectories on the server.

   <li>
    <p>Must be able to deploy support for cross-origin <code>GET</code>
     requests without having to use server-side scripting (such as PHP, ASP,
     or CGI) on IIS and Apache.

   <li>
    <p>The solution must be applicable to arbitrary media types. It must be
     deployable without requiring special packaging of resources, or changes
     to resources' content.

   <li>
    <p>It should be possible to configure distinct cross-origin authorization
     policies for different target resources that reside within the same
     origin.

   <li>
    <p>It should be possible to distribute content of any type. Likewise, it
     should be possible to transmit content of any type to the server if the
     API in use allows such functionality.

   <li>
    <p>It should be possible to allow only specific servers, or sets of
     servers to fetch the resource.

   <li>
    <p>Must not require that the server filters the entity body of the
     resource in order to deny cross-origin access to all resources on the
     server.

   <li>
    <p>Cross-origin requests should not require API changes other than
     allowing cross-origin requests. This means that the following examples
     should work for resources residing on <code>http://test.example</code>
     (modulo changes to the respective specifications to allow cross-origin
     requests):</p>

    <ul>
     <li>
      <pre><code>&lt;?xml-stylesheet type="application/xslt+xml" href="http://example.org/annotate.xslt"?></code></pre>

     <li>
      <pre><code>&lt;?xbl href="http://example.org/globe.xml"?></code></pre>

     <li>
      <pre><code>xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.org/data.text");
xhr.send();</code></pre>
    </ul>

   <li>
    <p>It should be possible to issue methods other than <code>GET</code> to
     the server, such as <code>POST</code> and <code>DELETE</code>.

   <li>
    <p>Should be compatible with commonly used HTTP authentication and
     session management mechanisms. I.e. on an IIS server where
     authentication and session management is generally done by the server
     before ASP pages execute this should be doable also for requests coming
     from cross-origin requests. Same thing applies to PHP on Apache.

   <li>
    <p>Should reduce the risk of inadvertently allowing access when it is not
     intended. This is, it should be clear to the content provider when
     access is granted and when it is not.
  </ol>

  <h2 class=no-num id=use-cases>Use Cases</h2>

  <p><em>This appendix is non-normative.</em>

  <p>The main motivation behind Cross-Origin Resource Sharing (CORS) was to
   remove the <a href="#same-origin">same origin</a> restriction from various
   APIs so that resources can be shared among different <a href="#origin"
   title=origin>origins</a> (i.e. servers).

  <p>Here are some examples of how we envision APIs to be able to change with
   CORS.

  <dl>
   <dt><code>XMLHttpRequest</code> (<a href="#ref-xhr">[XHR]</a>)

   <dd>
    <p>Currently if you have an API on the server at
     <code>https://calendar.example/add</code> that accepts requests using
     the HTTP <code>PUT</code> method to add new appointments you can only
     issue such requests from within the browser environment on resources
     within the <code>https://calendar.example/</code> <a
     href="#origin">origin</a>, as follows:</p>

    <pre><code>new client = new XMLHttpRequest()
client.open("PUT", "https://calendar.example/add")
client.onload = requestSuccess
client.onerror = requestError
client.onabort = requestError
client.send(apointment)</code></pre>

    <p>If the <code>https://calendar.example/add</code> resource implements
     CORS it can accept requests from other <a href="#origin"
     title=origin>origins</a>. To do this the server has to indicate it is
     willing to handle HTTP <code>PUT</code> methods for non <a
     href="#same-origin" title="same origin">same-origin</a> requests in
     response to a <a href="#preflight-request">preflight request</a>.
     Further when the <a href="#actual-request">actual request</a> is issued
     it has to indicate it is willing to share any response data.</p>

    <p>Code Web application developers use to talk with this resource can
     however remain unmodified, even when put on another <a
     href="#origin">origin</a>.</p>

   <dd>
    <p>If there is an API on <code>http://foo.example.org/</code> that allows
     authenticated users to edit resources, CORS could be used to allow users
     to use <code>http://editor.example/</code> as editor without the need of
     proxies when communicating changes to resources (e.g. addition or
     removal).</p>

   <dt>Not tainting the <code>canvas</code> element (<a
    href="#ref-html5">[HTML5]</a>)

   <dd>
    <p>Currently if you have an image editor implemented using the
     <code>canvas</code> element at <code>http://unicornimages.example</code>
     and a clip art collection at <code>http://narwhalart.example</code>
     drawing the clip art on the <code>canvas</code> element will cause it to
     be tainted because the images are from a different <a
     href="#origin">origin</a>. The effect of a tainted <code>canvas</code>
     element is that the <code>toDataURL()</code> method call in the
     following snippet will throw:</p>

    <pre><code>var canvas, context, clipart = []
function init() {
  canvas = document.getElementsByTagName("canvas")[0]
  context = canvas.getContext("2d")
}
function preload() {
  // populates clipart with five images from
  // http://narwhalart.example/archives/[0-9]
  // all represented as HTML &lt;img> elements
  &hellip;
}
function draw(clipart) {
  context.drawImage(clipart, &hellip;)
}
function save() {
  // get data out of &lt;canvas> and process it
  var data = canvas.toDataURL()
  &hellip;
}</code></pre>

    <p>Using CORS the maintainer of <code>http://narwhalart.example</code>
     can very easily indicate that all images can be used by
     <code>http://unicornimages.example</code> (or in fact all <a
     href="#origin" title=origin>origins</a>). To do so all that is required
     to change is that the server has to add the following HTTP headers for
     the clip art resources:</p>

    <pre><code>access-control-allow-origin: https://unicornimages.example
access-control-allow-credentials: true</code></pre>

    <p>This would also make the <code>toDataURL()</code> method call no
     longer throw.</p>

   <dt>Getting metadata out of media elements (<a
    href="#ref-html5">[HTML5]</a>)

   <dd>
    <p>At some point in the future the HTML <code>video</code> and
     <code>audio</code> elements will give a programmatic API to access their
     metadata. This could be as simple as the following snippet shows:</p>

    <p class=note>The API itself is pure speculation and its specifics are
     not relevant for explaining how CORS can be used.</p>

    <pre><code>var vid = document.querySelector("video"),
    vidAuthor = vid.meta.author</code></pre>

    <p>To prevent data theft this API will only work if the media resource is
     <a href="#same-origin">same origin</a> with where the script is executed
     from. However, if the video were annotated with CORS, similarly to the
     image resource in the previous use case, this could work just fine.</p>

   <dt>Server-Sent Events (<a href="#ref-sse">[SSE]</a>)

   <dd>
    <p>Currently if <code>http://example.org/news</code> exposes a stream of
     news events only resources on <code>http://example.org</code> can make
     use of it. With CORS it would be very easy to allow
     <code>http://international.example.org</code> to access the stream of
     news as well. If this news stream is personalized e.g. by the means of
     cookies it only requires one additional response header for
     <code>http://international.example.org</code> to be able to make use of
     it:</p>

    <pre><code>access-control-allow-origin: http://international.example.org
access-control-allow-credentials: true</code></pre>

    <p>The code used by Web authors would remain near identical (identical if
     they use an absolute URL):</p>

    <pre><code>stream = EventSource("http://example.org/news")
stream.onmessage = function(e) { &hellip; }</code></pre>

   <dt><code>xml-stylesheet</code> processing instruction (<a
    href="#ref-xmlsspi">[XMLSSPI]</a>)

   <dd>
    <p>Currently <a href="#cross-origin">cross-origin</a> loads of XSLT
     resources are prohibited to prevent data theft (e.g. from an intranet).
     With CORS an XSLT resource
     <code>http://static.example.org/generic</code> can easily be used by
     <code>http://example.org</code> resources by adding an additional HTTP
     header to the resource. Again, the code used by Web authors remains the
     same:</p>

    <pre><code>&lt;?xml-stylesheet href="http://static.example.org/generic"?></code></pre>

   <dt>XBL (<a href="#ref-xbl">[XBL]</a>)

   <dd>
    <p>An XBL binding allows the document to which it is bound to have full
     access to the document in which it is defined. To prevent data theft <a
     href="#cross-origin">cross-origin</a> XBL usage is therefore prohibited.
     The resource sharing policy enables <a
     href="#cross-origin">cross-origin</a> XBL bindings. If the user is
     authenticated with the server that hosts the XBL widget it is possible
     to have a user-specific <a href="#cross-origin">cross-origin</a>
     bindings.</p>
  </dl>

  <h2 class=no-num id=design-decision-faq>Design Decision FAQ</h2>

  <p><em>This appendix is non-normative.</em>

  <p>This appendix documents several frequently asked questions and their
   corresponding response.

  <dl>
   <dt>Why is there a <a href="#preflight-request">preflight request</a>?

   <dd>
    <p>For most type of requests two <a href="#resource-sharing-check"
     title="resource sharing check">resource sharing checks</a> are
     performed. Initially a "permission to make the request" check is done on
     the response to the <a href="#preflight-request">preflight request</a>.
     And then a "permission to read" check is done on the response to the <a
     href="#actual-request">actual request</a>. Both of these checks need to
     succeed in order for success to be relayed to the API (e.g.
     <code>XMLHttpRequest</code>).</p>

    <p>The "permission to make the request" check is performed because
     deployed servers do not expect such cross-origin requests. E.g., a
     request using the HTTP <code>DELETE</code> method. If they reply
     positively to the <a href="#preflight-request">preflight request</a> the
     client knows it can go ahead and perform the actual desired request.

   <dt>Why is <code>POST</code> treated similarly to <code>GET</code>?

   <dd>
    <p>Cross-origin <code>POST</code> requests have long been possible using
     the HTML <code>form</code> element. However, this is only the case when
     <code>Content-Type</code> is set to one of the media types allowed by
     HTML forms.</p>

   <dt>Why are cookies and authentication information sent in the request?

   <dd>
    <p>Sending cookies and authentication information enables user-specific
     cross-origin widgets (external XBL file). It also allows for a user
     authenticated data storage API that services can use to store data in.

    <p>Cookies and authentication information is already sent cross-origin
     for various HTML elements, such as <code>img</code>,
     <code>script</code>, and <code>form</code>.

    <p>This specification does allow for APIs that use the resource sharing
     policy to not send cookies or authentication information by means of the
     <a href="#credentials-flag">credentials flag</a>.</p>

   <dt>Why can cookies and authentication information <em>not</em> be
    provided by the script author for the request?

   <dd>
    <p>This would allow dictionary based, distributed, cookies / user
     credentials search.

   <dt>Why is the client the policy enforcement point?

   <dd>
    <p>The client already is the policy enforcement point for these requests.
     The mechanism allows the server to opt-in to let the client expose the
     data. Something clients currently not do and which servers rely upon.

    <p>Note however that the server is in full control. Based on the value of
     the <a href="#http-origin"><code title=http-origin>Origin</code></a>
     header in cross-origin requests it can decide to return no data at all
     or not provide the necessary handshake (the <a
     href="#http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></a>
     header).</p>

   <dt>What about the <code>JSONRequest</code> proposal?

   <dd>
    <p><code>JSONRequest</code> has been considered by the Web Applications
     Working Group and the group has concluded that it does not meet the
     documented <a href="#requirements">requirements</a>.
     <code>JSONRequest</code> is a specific API and cannot handle e.g.
     cross-origin XSLT through <code>&lt;?xml-stylesheet?></code> or the same
     scenarios same-origin <code>XMLHttpRequest</code> can handle today in
     cross-origin fashion, e.g. manipulating resources making use of the REST
     architectural style.
  </dl>

  <h2 class=no-num id=references>References</h2>

  <dl>
   <dt id=ref-cookies>[COOKIES]

   <dd><cite><a
    href="http://tools.ietf.org/html/draft-ietf-httpstate-cookie">HTTP State
    Management Mechanism</a></cite> (work in progress), A. Barth. IETF.

   <dt id=ref-html5>[HTML5]

   <dd><cite><a href="http://dev.w3.org/html5/spec/">HTML5</a></cite> (work
    in progress), I. Hickson. W3C.

   <dd><cite><a
    href="http://www.whatwg.org/specs/web-apps/current-work/">HTML5</a></cite>
    (work in progress), I. Hickson. WHATWG.

   <dt id=ref-http>[HTTP]

   <dd><cite><a
    href="http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging">HTTP/1.1,
    part 1: URIs, Connections, and Message Parsing</a></cite> (work in
    progress), R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P.
    Leach, T. Berners-Lee, Y. Lafon, J. Reschke. IETF.

   <dd><cite><a
    href="http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics">HTTP/1.1,
    part 2: Message Semantics</a></cite> (work in progress), R. Fielding, J.
    Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee, Y.
    Lafon, J. Reschke. IETF.

   <dt id=ref-origin>[ORIGIN]

   <dd><cite><a href="http://tools.ietf.org/html/draft-abarth-origin">The
    HTTP Origin Header</a></cite> (work in progress), A. Barth, C. Jackson,
    I. Hickson. IETF.

   <dt id=ref-ct>[RFC2119]

   <dd><cite><a href="http://tools.ietf.org/html/rfc2119">Key words for use
    in RFCs to Indicate Requirement Levels</a></cite>, S. Bradner. IETF.

   <dt id=ref-uri>[RFC3986]

   <dd><cite><a href="http://tools.ietf.org/html/rfc3986">Uniform Resource
    Identifier (URI): Generic Syntax</a></cite>, T. Berners-Lee, R. Fielding,
    L. Masinter, editors. IETF.

   <dt id=ref-sse>[SSE] <em>(non-normative)</em>

   <dd><cite><a href="http://www.w3.org/TR/eventsource/">Server-Sent
    Events</a></cite> (wok in progress), I. Hickson. W3C.

   <dt id=ref-xbl>[XBL] <em>(non-normative)</em>

   <dd><cite><a href="http://www.w3.org/TR/xbl/">XML Binding Language (XBL)
    2.0</a></cite> (work in progress), I. Hickson. W3C.

   <dt id=ref-xhr>[XHR] <em>(non-normative)</em>

   <dd><cite><a href="http://www.w3.org/TR/XMLHttpRequest2/">XMLHttpRequest
    Level 2</a></cite> (work in progress), A. van Kesteren. W3C.

   <dt id=ref-xmlsspi>[XMLSSPI] <em>(non-normative)</em>

   <dd><cite><a href="http://www.w3.org/TR/xml-stylesheet/">Associating Style
    Sheets with XML documents</a></cite>, J. Clark. W3C.
  </dl>

  <h2 class=no-num id=acknowledgments>Acknowledgments</h2>

  <p><em>This appendix is non-normative.</em>

  <p>The editor would like to thank Adam Barth, Alexey Proskuryakov, Arthur
   Barstow, Benjamin Hawkes-Lewis, Bert Bos, Bj&ouml;rn H&ouml;hrmann,
   Cameron McCormack, Collin Jackson, David H&aring;s&auml;ther, David
   Orchard, Dean Jackson, Eric Lawrence, Frank Ellerman, Frederick Hirsch,
   Graham Klyne, Hal Lockhart, Henri Sivonen, Ian Hickson, Jesse M. Heines,
   Jonas Sicking, Lachlan Hunt, Maciej Stachowiak, Marc Silbey, Marcos
   Caceres, Mark Nottingham, Mark S. Miller, Martin D&uuml;rst, Matt Womer,
   Michael Smith, Mohamed Zergaoui, Nikunj Mehta, Sharath Udupa, Sunava
   Dutta, Surya Ismail, Thomas Roessler, Tyler Close, and Zhenbin Xu for
   their contributions to this specification.

  <p>Special thanks to Brad Porter, Matt Oshry and R. Auburn, who all helped
   editing earlier versions of this document.