Dappy specifications
  • Introduction
  • Specs and web standards
    • Name system
    • Authorized characters for names / IDNA
  • Sections specific to browser and web applications
    • Cookies
    • Cross-origin resource sharing (CORS)
    • TLS / encrypted traffic only and HSTS
    • Content Security Policy (CSP)
  • Glossary
    • Dappy Network and network members (or agents)
    • Co-resolution
    • Dappy protocol
    • Dappy browser
    • Traditional or regular web browsers
    • IP application
    • Dapp
Powered by GitBook
On this page

Was this helpful?

  1. Sections specific to browser and web applications

Cross-origin resource sharing (CORS)

PreviousCookiesNextTLS / encrypted traffic only and HSTS

Last updated 3 years ago

Was this helpful?

CORS works with HTTP headers sent by servers at the top level navigation. it is poorly understood by developers and often badly implemented. A browser may block requests going to a.com if they are initiated by b.com or any origin not whitelisted by the Access-Control-Allow-Origin header.

Dappy browser sets a Origin header on each requests coming from a tab, the server can easily know which website the client was visiting when the request was sent. Restricted actions that require an authentication must be authorized through cookies, headers or the body of the request itself. The server does not need CORS for any of these 3 checks.

Due to the very strong policy on the and at the name system level, we think that this feature does not need to be supported. Headers related to CORS are ignored by the browser.

If you think this is a mistake or have comments, please reach out to us on or by email.

See

name system
Content Security Policy
discord
Mozilla's documentation on CORS