What is CORS?
CORS (Cross-Origin Resource Sharing) is an opt-in protocol for browsers and web servers that permits resources to be requested from domains outside the one from which the first resource was served. For example, a script on
jsfiddle.net may need to make a request to FireDaemon Fusion on a local server.
CORS exists to prevent CSRF (Cross-Site Request Forgery), where a script can steal or modify data from another domain. For example, a script on
jsfiddle.net performing a bank transaction.
CORS in FireDaemon Fusion
CORS is used only for the
/api endpoints. CORS requests do not access webpage resources or static FireDaemon Fusion assets.
When accessing a remote FireDaemon Fusion node, the CORS preflight check is performed on the 'local' node.
By default, CORS support is disabled in FireDaemon Fusion. To enable it, check the CORS checkbox in the FireDaemon Fusion Settings page. CORS support cannot be enabled if SSL / TLS is disabled.
CSRF detection relies on the Origin header present at login time and the Origin header present on a request - a request’s origin is checked against the previously captured origin. An origin check for CSRF detection relies on the Origin header being sent for Ajax/POST requests.
If CORS is disabled (as it is by default), session-cookie is restricted to the ‘same site’ [SameSite=lax]. The session-cookie is inaccessible by scripts when the session is not encrypted. When CORS is enabled, the session-cookie is unrestricted [SameSite=none].
The effect of CSRF detection is that a script cannot interfere with a currently open session by logout or fresh login, and therefore cannot fetch any data.
There are some browser caveats on the use of CORS. Specifically:
- You must configure your browser to allow third-party cookies - these are typically accepted by default
- Self signed SSL / TLS certificates are not supported. Hence you will need to installed a properly signed SSL / TLS certificate into FireDaemon Fusion where the certificate is signed by a reputable certificate authority (CA) or your own internal CA
- Your browser supports [SameSite=none] properly.