# Guide to Dealing with CORS 
- badges: true
- toc: true
- comments: true


## What is CORS?
- Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
- Its essentially a security feature

How it goes down:
1. The browser(frontend) sends the GET request with an extra Origin HTTP header to service.example.com (deployed backend) containing the domain that served the parent page <br>
`Origin: http://www.example.com` // frontend url
2. The server at service.example.com sends one of these responses:
<br>
`Access-Control-Allow-Origin: http://www.example.com` //backend allows the frontend url to access its contents <br>
`Access-Control-Allow-Origin: *` //backend allows any site to access its contents

## Issues with CORS
- When trying to start a local server and test your frontend and backend connection, cors is often something that gets in the way.
- Unfortunately this error can prevent any sort of backend connection without proper code. Usually this error will appear when a header for cors is not specified or your backend url is not permitted by cors

![error](https://github.com/vivianknee/FastPages/blob/master/images/error.jpg?raw=true)

I'm sure you've seen it... 
So here's a method to bypass CORS locally. Eventually, when both your frontend and backend are deployed, it's good practice to have CORS implemented since your site could have some security risk if you simply bypass it. 
In this blog I've provided two methods to get around cors.
1. Local method with google extension
2. Access-Control-Allow-Origin

## Solutions

### Bypassing Cors Locally with an Extensions
- Its very handy to be able to bypass cors locally because it makes testing and debugging a lot faster.
#### Setup local backend
> How to bypass CORS with a local backend and frontend running

1. Have your backend and frontend servers running locally. 
2. Get the url of your backend server. In this case: Python Flask

![url](https://github.com/vivianknee/FastPages/blob/master/images/url.png?raw=true)



#### Setup frontend fetch
- Use the url from the step above to write a 'fetch' statement (doesn't have to be like whats written below) to reference the local url and your api
- note: this extension works both for when the frontend is deployed and when it is running locally

In [None]:
fetch('http://127.0.0.1:8080/api/yourapi/').then(function(response) { 
    return response.json();
  });

#### Download Extension
- Good for quick testing purposes
- Download this Google chrome extension: <a href="https://chrome.google.com/webstore/detail/allow-cors-access-control/lhobafahddgcelffkeicbaginigeejlf?hl=en">Allow CORS: Access-Control-Allow-origin</a>
- Toggle the extension so that its ON
![url](https://github.com/vivianknee/FastPages/blob/master/images/cors.jpg?raw=true)


Now try interacting with your frontend site, and the fetch will work

### Access-Control-Allow-Origin response header
- Another method we have done in the past is adding a 'Access-Control-Allow-Origin' header on the requested resource
- The Access-Control-Allow-Origin header is included in the response(response comes from backend) from site B to a request(fetch from frontend) site A, and identifies the permitted origin of the request. A web browser compares the Access-Control-Allow-Origin with the requesting website's origin and permits access to the response if they match.
![sites](https://github.com/vivianknee/FastPages/blob/master/images/sites.jpg?raw=true)
A better model:
![system](https://github.com/vivianknee/FastPages/blob/master/images/system.jpg?raw=true)

This is a code segment that maintains cors security and only allows the frontend site to fetch from a specific url, which in our case would be the backend deployed server.

In [None]:
fetch('http://example.com/api/data', {
  method: 'GET',
  headers: {
    'Content-Type': 'application/json',
    'Access-Control-Allow-Origin': '*'
  }
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error(error));

- the '*' means that the backend url can be accessed with any request from any site through cors. If you only wanted the backend site to be accessed by the frontend, you would replace the asterisk with your site url.

Here's another way. We used this method in trimester 1.

In [None]:
const url = "backendurl.com";

  // prepare fetch GET options
  const options = {
    method: 'GET', // *GET, POST, PUT, DELETE, etc.
    mode: 'cors', // no-cors, *cors, same-origin
    cache: 'default', // *default, no-cache, reload, force-cache, only-if-cached
    credentials: 'omit', // include, *same-origin, omit
    headers: {
      'Content-Type': 'application/json'
      // 'Content-Type': 'application/x-www-form-urlencoded',
    },
  };
  // prepare fetch PUT options, clones with JS Spread Operator (...)
  const put_options = {...options, method: 'PUT'};

## CORS but for deployed backend
- The Access Control Allow Origin header is actually automatically implemented when you setup your backend server on AWS. When you set up the nginx configuration files, you'll notice:
![aws](https://github.com/vivianknee/FastPages/blob/master/images/aws.jpg?raw=true)
As you can see the same exact line **'Access-Control-Allow-Origin': '*'** is present in the nginx files in sites-available and sites-enabled
- because of this, your frontend server doesn't need any code to bypass cors because its already implemented on the server side. The extension mentioned previously is also no longer needed