What is CORS?

CORS (Cross-Origin Resource Sharing) is an opt-in protocol for browsers and web servers that permits resources to be requested from domains outside the one from which the first resource was served. For example, a script on jsfiddle.net may need to make a request to FireDaemon Fusion on a local server.

CORS support allows the FireDaemon Fusion API to be easily embedded in your application. Check out our Fiddle to see how the API works.

CORS exists to prevent CSRF (Cross-Site Request Forgery), where a script can steal or modify data from another domain. For example, a script on jsfiddle.net performing a bank transaction.

CORS in FireDaemon Fusion

CORS is used only for the /auth and /api endpoints. CORS requests do not access webpage resources or static FireDaemon Fusion assets.

When accessing a remote FireDaemon Fusion node, the CORS preflight check is performed on the 'local' node.

By default, CORS support is disabled in FireDaemon Fusion. To enable it, check the CORS checkbox in the FireDaemon Fusion Settings page. CORS support cannot be enabled if SSL is disabled.

CSRF Protection

CSRF detection relies on the Origin header present at login time and the Origin header present on a request - a request’s origin is checked against the previously captured origin. An origin check for CSRF detection relies on the Origin header being sent for ajax/POST requests.

If CORS is disabled (as it is by default), Session-cookie is restricted to the ‘same site’ [SameSite=lax]. The session-cookie is inaccessible by scripts [HttpOnly].

The effect of CSRF detection is that a script cannot interfere with a currently open session by logout or fresh login, and therefore cannot fetch any data.

Browser Caveats

There are some browser caveats on the use of CORS. You must configure your browser to allow third-party cookies. Chrome and Firefox usually do this by default.

Internet Explorer 11 and Firefox self-signed certificates do not work well sometimes due to blocked network requests. We recommend using a certificate that is not self-signed if you use CORS with Internet Explorer or Firefox.

Internet Explorer 11 can support third-party cookies through the following settings:

  1. Go to Internet Options > Privacy > Advanced.
  2. Select Accept for the third party cookies.
  3. Select the Always allow session cookies checkbox.

Alternate Internet Explorer configurations are:

  • Navigate to Internet Options > Privacy > Sites and then allow the FireDaemon Fusion domain to store cookies.
  • Navigate to Internet Options > Security > Local Intranet and then add both FireDaemon Fusion and cross domains where prompted.

Future versions of Internet Explorer and Firefox are expected to fix this issue.