What is CORS?

CORS stands for Cross-Origin Resource Sharing (CORS), which is is a W3C standard HTTP-header based mechanism that allows a web application to indicate that certain requests from origins (domain, scheme, or port) other than its own should be permitted by a browser.

Basically you have to tell your web service to allow access to sites you trust. When a website with another origin tries to make an HTTP request, it tells the browser to send that request with an origin header. If the origin is trusted, the web service sends the requested resource with Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers in response.

Why is it used?

CORS is used for security reasons - to stop potentially sensitive or damaging requests being made for reasons other than their intended purpose. Typically, a user’s browser would only ever need to make these requests from the same origin as the current web page; however, there are legitimate scenarios where cross-origin access is desirable or even necessary.

In the case of iShare it is typically used to allow your website(s) and Astun’s Spotlight application to include dynamic data requests or embedded maps from the Astun Cloud.

What are the risks?

You need to be aware of the CORS configuration that is set up on your server and the implications this has for security. Make sure that only the web sites & endpoints that are required for your external web application(s) to work correctly are configured.

If implemented badly, CORS can lead to major security risks. The main risk is that a third-party could load data from iShare, or embed an entire customer map, and pass it off as their own.

How is it configured?

CORS is configured on new iShare servers so all you should need to do is to add ol-ishare.services.astuntechnology.com (which will allow access from Spotlight) and the domain(s) used by your site(s). There is a great website here which details how to configure the CORS Module to allow specific access.