0Pricing
OAuth2 & OpenID Connect Deep Dive · Lesson

Cross-Origin Resource Sharing (CORS)

Understand CORS policies in the context of OAuth2 and OIDC, particularly for single-page applications accessing protected resources.

CORS & Secure Web Apps

Welcome! Today we'll explore Cross-Origin Resource Sharing (CORS), a crucial security feature for modern web applications.

CORS allows web browsers to securely handle requests between a client-side application (like a Single-Page Application, SPA) and an API server when they're on different domains.

This is especially vital when your SPA uses OAuth2 or OpenID Connect to access protected resources.

The Same-Origin Policy

To understand CORS, we first need to know about the Same-Origin Policy (SOP).

  • SOP is a fundamental browser security feature.
  • It prevents web pages from making requests to a different domain than the one that served the page.
  • For example, a script from app.example.com cannot directly make an AJAX request to api.anothersite.com.

This protects users from malicious scripts trying to steal data from other sites you're logged into.

All lessons in this course

  1. Consent & User Experience
  2. Cross-Origin Resource Sharing (CORS)
  3. Front-Channel vs. Back-Channel Logout
  4. Sender-Constrained Tokens with mTLS
← Back to OAuth2 & OpenID Connect Deep Dive