CORS: Practical Examples with Developer Tools

Explore practical examples of understanding CORS using browser developer tools.
By Jamie

Understanding CORS with Browser Developer Tools

Cross-Origin Resource Sharing (CORS) is a security feature implemented in web browsers to prevent malicious sites from accessing resources from another domain without permission. Understanding how CORS works can be greatly enhanced by using browser developer tools. Below are three practical examples illustrating this concept.

Example 1: Inspecting CORS Errors in the Console

Context

When developing web applications that make requests to APIs hosted on different domains, developers often encounter CORS errors. This example demonstrates how to inspect these errors using the browser console.

When a web application on https://example-client.com tries to access an API on https://example-api.com, the browser will check the CORS headers to determine if the request is allowed. If not, it will throw an error.

To see this in action:

  1. Open your browser and navigate to your developer tools (usually F12 or right-click and select ‘Inspect’).
  2. Go to the ‘Console’ tab.
  3. Trigger a CORS request from your web application. This could be a button click that fetches data from the API.
  4. Observe the error message related to CORS.

For example, you might see an error like:

Access to fetch at 'https://example-api.com/data' from origin 'https://example-client.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Notes

  • This error indicates that the API does not allow requests from example-client.com. To fix this, the API server needs to include the appropriate CORS headers in its response.
  • You can also refresh the console to view the timeline of requests and errors, providing a clearer picture of what went wrong.

Example 2: Checking CORS Headers in Network Tab

Context

When debugging CORS issues, it’s crucial to inspect the response headers sent by the API. This example shows how to check these headers using the Network tab in developer tools.

  1. Open your browser and navigate to your developer tools.
  2. Go to the ’Network’ tab and ensure it is recording network activity.
  3. Refresh your web application page or trigger the API request.
  4. Find the network request corresponding to the API call you made. Click on it to view detailed information.
  5. Look for the ‘Response Headers’ section.

You should see headers similar to:

Access-Control-Allow-Origin: https://example-client.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type

Notes

  • If the Access-Control-Allow-Origin header is missing or does not match your domain, the browser will block the request.
  • This method allows you to confirm whether the server is set up correctly to handle CORS requests.

Example 3: Modifying Requests with CORS Proxy

Context

If you encounter persistent CORS issues during development, using a CORS proxy can help. This example demonstrates how to use a simple CORS proxy to bypass these restrictions temporarily for testing purposes.

  1. Find a public CORS proxy, such as https://cors-anywhere.herokuapp.com/.
  2. Modify your API request URL by prepending the proxy URL. For instance, if your original request was:
https://example-api.com/data

Change it to:

https://cors-anywhere.herokuapp.com/https://example-api.com/data
  1. Trigger the modified request in your application.
  2. Use the ’Network’ tab in developer tools to inspect the request and response headers as before.

Notes

  • This method is intended solely for development and testing. Relying on a public CORS proxy in production is not recommended due to security and performance concerns.
  • Ensure that the proxy server you use is trustworthy to avoid exposing your data to potential security risks.

By leveraging browser developer tools, these examples illustrate how to effectively understand and troubleshoot CORS issues in your web applications.