CORS and HTTPS and Cookie

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.
HTTPS Mixed Content There are two categories for mixed content: mixed passive/display content and mixed active content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is lower (the page may contain misleading content, or the user's cookies may be stolen). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.
Cookie SameSite attribute It takes three possible values: Strict, Lax, and None. With Strict, the cookie is sent only to the same site as the one that originated it; Lax is similar, except that cookies are sent when the user navigates to the cookie's origin site, for example, by following a link from an external site; None specifies that cookies are sent on both originating and cross-site requests, but only in secure contexts (i.e. if SameSite=None then the Secure attribute must also be set). If no SameSite attribute is set then the cookie is treated as Lax.


  1. Cross-origin writes are typically allowed. Examples are links, redirects, and form submissions. Some HTTP requests require preflight. 大概是指像服务器端发送请求
  2. Cross-origin embedding is typically allowed. (Examples are listed below.) 就是图片,iframe 啥的嵌入的
  3. Cross-origin reads are typically disallowed, but read access is often leaked by embedding. For example, you can read the dimensions of an embedded image, the actions of an embedded script, or the availability of an embedded resource. 大概是指读取服务器端的 response (tips: 不管同源还是跨域 其实都是读取不到 response 的 set-cookie 或者 set-cookie2 两个header的,跨域还需要 expose header ┑( ̄Д  ̄)┍ )

HTMLElement Cross-origin embedding is typically allowed

Here are some examples of resources which may be embedded cross-origin:

  • JavaScript with <script src="…"></script>. Error details for syntax errors are only available for same-origin scripts.
  • CSS applied with <link rel="stylesheet" href="…">. Due to the relaxed syntax rules of CSS, cross-origin CSS requires a correct Content-Type header. Restrictions vary by browser: Internet Explorer, Firefox, Chrome, Safari (scroll down to CVE-2010-0051) and Opera.
  • Images displayed by <img>.
  • Media played by <video> and <audio>.
  • External resources embedded with <object> and <embed>.
  • Fonts applied with @font-face. Some browsers allow cross-origin fonts, others require same-origin.
  • Anything embedded by <iframe>. Sites can use the X-Frame-Options header to prevent cross-origin framing.

HTML atrribute: crossorigin

The crossorigin attribute, valid on the <audio>, <img>, <link>, <script>, and <video> elements, provides support for CORS, defining how the element handles crossorigin requests, thereby enabling the configuration of the CORS requests for the element's fetched data. Depending on the element, the attribute can be a CORS settings attribute.

The crossorigin content attribute on media elements is a CORS settings attribute.

These attributes are enumerated, and have the following possible values:

anonymousCORS requests for this element will have the credentials flag set to 'same-origin'.
use-credentialsCORS requests for this element will have the credentials flag set to 'include'.
""Setting the attribute name to an empty value, like crossorigin or crossorigin="", and any other value besides use-credentials is the same as anonymous.

Mixed content

locally-delivered mixed resources

Browsers may allow locally-delivered mixed resources to be loaded. This includes file: URLs and content accessed from loopback addresses (e.g.

Firefox 55 and later allow loading of mixed content on the loopback address (see bug 903966), Firefox 84 and later allow loading of mixed content on http://localhost/ and http://*.localhost/ URLs, as these are now mapped to loopback addresses (see bug 1220810). Chrome also allows mixed content on and http://localhost/. Safari does not allow any mixed content.

Upgrading mixed-display resources

Browsers may support automatic upgrade of requests for display/media content from HTTP to HTTPS on secure pages (this prevents mixed-content conditions in which some content is loaded securely while other content is insecure).


A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix. When you set a cookie, you can limit its availability using the Domain, Path, Secure, and HttpOnly flags. When you read a cookie, you cannot see from where it was set. Even if you use only secure https connections, any cookie you see may have been set using an insecure connection.