# Guide to Dealing with CORS 
- badges: true
- toc: true
- comments: true


## What is CORS?
- Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
- Its essentially a security feature
- But unfortunately CORS is very annoying and this error can prevent any sort of backend connection

![error](https://github.com/vivianknee/FastPages/blob/master/images/error.jpg?raw=true)

I'm sure you've seen it... 
So heres a method to bypass CORS locally. Eventually, when both your frontend and backend are deployed, it's good practice to have CORS implemented since your site could have some security risk if you simply bypass it. However, for local testing, this is a great tool to speed up testing, debugging, etc.

## Setup local backend
> How to bypass CORS with a local backend and frontend running

1. Have your backend and frontend servers running locally. 
2. Get the url of your backend server. In this case: Python Flask

![url](https://github.com/vivianknee/FastPages/blob/master/images/url.png?raw=true)



## Setup frontend fetch
- Use the url from the step above to write a 'fetch' statement (doesn't have to be like whats written below) to reference the local url and your api

In [None]:
fetch('http://127.0.0.1:8080/api/yourapi/').then(function(response) { 
    return response.json();
  });

## Bypassing CORS locally 
- Good for quick testing purposes
- Download this Google chrome extension: <a href="https://chrome.google.com/webstore/detail/allow-cors-access-control/lhobafahddgcelffkeicbaginigeejlf?hl=en">Allow CORS: Access-Control-Allow-origin</a>
- Toggle the extension so that its ON
![url](https://github.com/vivianknee/FastPages/blob/master/images/cors.jpg?raw=true)


Now try interacting with your frontend site, and the fetch will work



What is the Access-Control-Allow-Origin response header?
- Another method we have done in the past is adding a 'Access-Control-Allow-Origin' header on the requested resource
- The Access-Control-Allow-Origin header is included in the response(response comes from backend) from site B to a request(fetch from frontend) site A, and identifies the permitted origin of the request. A web browser compares the Access-Control-Allow-Origin with the requesting website's origin and permits access to the response if they match.
![sites](https://github.com/vivianknee/FastPages/blob/master/images/sites.jpg?raw=true)
A better model:
![system](https://github.com/vivianknee/FastPages/blob/master/images/system.jpg?raw=true)

In [None]:
const url = "backendurl.com";

  // prepare fetch GET options
  const options = {
    method: 'GET', // *GET, POST, PUT, DELETE, etc.
    mode: 'cors', // no-cors, *cors, same-origin
    cache: 'default', // *default, no-cache, reload, force-cache, only-if-cached
    credentials: 'omit', // include, *same-origin, omit
    headers: {
      'Content-Type': 'application/json'
      // 'Content-Type': 'application/x-www-form-urlencoded',
    },
  };
  // prepare fetch PUT options, clones with JS Spread Operator (...)
  const put_options = {...options, method: 'PUT'};

## CORS but deployed backend
