Filed under 분류없음


What is this about?

Cross-Origin Resource Sharing (CORS) is a specification that enables a truly open access across domain-boundaries. With this site we want to support the adoption of CORS. [more...]

If you have public content that doesn't use require cookie or session based authentication to see, then please consider opening it up for universal JavaScript/browser access. [more...]

Why is CORS important?

It is vital for a number of use cases to be able to perform requests that go beyond a single domain. Currently, this is not easily possible due to the same origin policy. [more...]

CORS defines how browsers and servers communicate when accessing sources across origins using HTTP headers to allow both the browser and the server to know enough about each other to determine if the request or response should succeed or fail. [more...]

How can I participate?

Granting JavaScript clients basic access to your resources simply requires adding one HTTP response header, namely:

Access-Control-Allow-Origin: *

The asterisk permits scripts hosted on any site to load your resources; the space-delimited lists limits access to scripts hosted on the listed servers.

Note: this is compatible with both XMLHttpRequest and XDomainRequest and supported by all the major browsers.

Note: it is also important that CORS headers are supplied in case of client errors (4xx) or server errors (5xx). [more...]

For Apache

Apache can be configured to expose this header using mod_headers, this is enabled by default in Apache however you may want to ensure it's enabled by running the following command:

a2enmod headers

To expose the header you simply add the following line inside <Directory>, <Location>, <Files> or <VirtualHost> sections, or within a .htaccess file:

Header set Access-Control-Allow-Origin *

Note: you can also use add rather than set, but be aware that add can add the header multiple times, so it's likely safer to use set. Eventually, you may need to reload Apache to make sure your changes are applied.

For IIS6

To CORS-enable Microsoft IIS6, perform the following steps:

  1. Open Internet Information Service (IIS) Manager
  2. Right click the site you want to enable CORS for and go to Properties
  3. Change to the HTTP Headers tab
  4. In the Custom HTTP headers section, click Add
  5. Enter Access-Control-Allow-Origin as the header name
  6. Enter * as the header value
  7. Click Ok twice

For IIS7

For Microsoft IIS7, merge this into the web.config file at the root of your application or site:

<?xml version="1.0" encoding="utf-8"?>
       <add name="Access-Control-Allow-Origin" value="*" />

If you don't have a web.config file already, or don't know what one is, just create a new file called web.config containing the snippet above.

For Virtuoso

These instance/server-level settings require OpenLink Virtuoso Open Source (VOS) 6.1.3 or later, or Virtuoso Commercial Edition 06.02.3129 or later. [more...]

  1. In the Virtuoso Conductor, go to Web Application ServerVirtual Domains & Directories.
  2. Expand the default Interface store.
  3. Click New Directory.
  4. Specify the desired Virtual Directory Type, or choose an existing virtual directory to use as a template.
  5. Click Next.
  6. Specify the Directory Path value.
  7. Set the CORS options.
    • Cross-Origin Resource Sharing - contains a single wildcard asterisk, i.e., * or a space-delimited list of HTTP server URIs, e.g., Scripts originating on the listed HTTP servers are authorized to retrieve the specified resource(s); the wildcard means scripts from any HTTP server will be authorized. For this example, enter the following single URI:
    • Reject Unintended CORS check-box - when ticked and the application does not overwrite headers, unmatched Origins will be rejected by sending an empty response.
  8. Click Save changes.

For older versions of Virtuoso, any of the Web Application-level instructions below may be used. Any Virtuoso-based application can implement CORS checking through well-known HTTP functions http_request_header() and http_header(), for example:

IF (http_request_header (lines, 'Origin', NULL) = '')
  http_header ('Access-Control-Allow-Origin:\r\n');
-- Additional code here ---

In ExpressJS

In your ExpressJS app on node.js, do the following with your routes:

app.all('/', function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "X-Requested-With");

app.get('/', function(req, res, next) {
  // Handle the get for this route
});'/', function(req, res, next) {
 // Handle the post for this route


If you don't have access to configure Apache, you can still send the header from a PHP script. It's a case of adding the following to your PHP scripts:

 header("Access-Control-Allow-Origin: *");

Note: as with all uses of the PHP header function, this must be before any output has been sent from the server.

In CGI Scripts

Just output the line:

Access-Control-Allow-Origin: *

... as part of your CGI script's headers, for example, in Perl (using

print header(
  -type => 'text/turtle',
  -content_location => 'mydata.ttl',
  -access_control_allow_origin => '*',

or in Python:

print "Content-Type: text/turtle"
print "Content-Location: mydata.ttl"
print "Access-Control-Allow-Origin: *"


If you don't have access to configure IIS, you can still add the header through ASP.NET by adding the following line to your source pages:

Response.AppendHeader("Access-Control-Allow-Origin", "*");

Note: this approach is compatible with IIS6, IIS7 Classic Mode, and IIS7 Integrated Mode.

In App Engine

For Python-based applications in Google App Engine, the self.response.headers.add_header() method can be used, such as:

class CORSEnabledHandler(webapp.RequestHandler):
  def get(self):
    self.response.headers.add_header("Access-Control-Allow-Origin", "*")
    self.response.headers['Content-Type'] = 'text/csv'

Who is doing it already?


  • HTML5 Rocks- A resource for open web HTML5 developers
  • WebKit: as announced on the WebGL mailing list, CORS support for images and videos is now fully implemented
  • A JS library that is used on and other Time, Inc properties



SPARQL Endpoints




2012/07/27 16:35 2012/07/27 16:35