CORS
CORS is a browser standard. Meaning, it uses the HTTP headers to decide if the response from server can be shown to the user or not. The server can simply process the request fully and then add the CORS headers for the browser to decide.
NOTE: In case of Spring, the server also verifies and reject requests that doesn't match the CORS configuration.
Why CORS - Cross Origin Resource Sharing
In the past there was only SOP - Same-Origin Policy. Which means, the website could only consume resources from the same origin.
CORS was only introduced to relax this restriction. This also introduces a risk that if CORS isn't configured correctly, this can lead to security issues.
CORS headers are automatically added by the browsers when the HTTP requests are made. This can't be tweaked.
- Complex requests - Preflight request is made with access-control headers to the servers. This has the information on what the browser intend to do. The server then returns if this is allowed or not.
- Simple requests - No preflight request is made. The server can add the access-control headers which then is used by the browser to decide if the response can be shown to the user or not.
Origin Header
This is similar to referer header but doesn't disclose the path of the source page.
This can also be controlled by the referral-policy header.
These headers are used by browsers to avoid sending the request to the web server if the preflight response doesn't satisfy the conditions. This provides security and also avoids unnecessary calls to the web server.
Origin vs Referer Header
Origin and Referer are similar HTTP headers but only the purpose is different. Referer is used to know from which source the request is coming. This is mainly for statistical purposes. Whereas, Origin is used to restrict control of access to resources on other domains.
Origin vs Host Header
Origin and referer contains the information of the browser sending the request.
Host contains the information of the server to which the request is being sent to.