Accessing Data and CORS

R. Alexander Miłowski

School of Information, UC Berkeley

The Problem

Cross-Origin Resource Sharing (CORS)

Do as your mother told you!

Your mother would be proud.

See CORS (wikipedia) W3C Recommendation

Access-Control-Allow-Origin Header

Think: what website can access this resource.


Allow all websites:

Access-Control-Allow-Origin: *            

Allow a specific website:


Local testing:

Access-Control-Allow-Origin: http://localhost:8080/            


CORS enable a service:

We're going to fix the API server so it uses CORS.

Procedure for Activity

  1. Run API servers:

    python api/
  2. Run the client:

    cd web; python -m SimpleHTTPServer            
  3. Load http://localhost:8000/index.xhtml and type in "local.json" and press the button. It should load a hacked local resource.
  4. Change index.xhtml to use http://localhost:5000/ as the server when UserFetch is created.

  5. Use 'alex' or 'grace' as the user. It should be broken.

  6. Fix it.