The Same-Origin Policy
XMLHttpRequest to any hostname other than that of the current page.
There were loopholes, the most important of which being the
<script> tag, which could point to any hostname. Over time this led to the JSONP workaround. However, this approach is not always easy to implement and does come with some important security considerations.
CORS on the Server
In the simplest case, CORS is implemented by adding a single server-side HTTP header:
You can see the
Access-Control-Allow-Origin header at work on the ChemWriter website server, on which the molfiles in the Structure-Data Grid example were hosted.
$ curl -I http://chemwriter.com/data/structure-1.mol HTTP/1.1 200 OK Server: nginx/1.4.1 Date: Tue, 27 Aug 2013 18:49:13 GMT Content-Type: application/octet-stream Content-Length: 9716 Last-Modified: Tue, 16 Jul 2013 23:47:00 GMT Connection: keep-alive ETag: "51e5db74-25f4" Access-Control-Allow-Origin: * Accept-Ranges: bytes
The CORS website describes how to implement CORS within a variety of server environments.
CORS on the Client
For most HTML 5-capable browsers, CORS requests are made with
XMLHttpRequest just like any other HTTP request. However, Internet Explorer 9 requires the
XDomainRequest object when making CORS requests. Unfortunately, this object is not without its quirks.
Fortunately, ChemWriter handles the details to ensure that requests for molfiles can be made to any server using the same simple mechanism - regardless of the browser currently in use.
<html> <head> <title>Blank Table-Based Grid</title> <script src="https://chemwriter.com/sdk/chemwriter.js"></script> <link rel="stylesheet" href="https://chemwriter.com/sdk/chemwriter.css"> </head> <body> <h1>Ciguatoxin</h1> <div style="width: 500px; height: 300px;"> <div data-chemwriter-ui="image" data-chemwriter-src="http://chemwriter.com/data/structure-1.mol"></div> </div> </script></body> </html>
PubChem, a large public-facing chemical database, has already implemented the
Access-Control-Allow-Origin header on its raw chemical data collection.
CORS offers a fundamentally new way for scientific web applications to share data and work together. Although implementation is not without costs on the server and client, the burden is relatively low compared to the potential payoff.