Cross-site HTTP requests are HTTP requests for resources loaded from a different domain than what was initially requested. A good example would be an HTTP OPTIONS
request that contains headers describing another HTTP request to be made, for example, a GET
request for a resource, called actual request. Such requests are usually subject to different security restrictions due to harmful Cross-Side Scripting (XSS). Over the years, XSS have become famous for allowing injections of different client-side scripts in web-based resources.
Thus, the W3C has recommended the Cross-Origin Resource Sharing mechanism to provide a secure way for web services to support cross-site data transfer. The recommendation is available at http://www.w3.org/TR/cors/. It is built around HTTP request
and response
headers used to control different aspects of HTTP specification that may be used in XSS to make your application vulnerable to such attacks.
The HTTP request
headers are as follows...