If you want to store content on a different origin as the player which requests it, there is a solution – CORS. In context of [XMLHttpRequests](🔗), it defines a set of headers that allow the browser and server to communicate, which requests are allowed/prohibited. It is a recommended standard of the [W3C](🔗). In practice, for a CORS request, the server only needs to add the following header to its response:
For more information on settings (e.g. GET/POST, custom headers, authentication, etc.) and examples, we refer to enable-cors.org.
Nice to know: CORS (Cross-Origin Resource Sharing) arises from the so called Same-Origin Policy, which is a security concept for the web. It ensures that a web browser permits scripts, contained in a web page to access data on another web page, but only if both web pages have the same origin. In other words, requests for data must come from the same scheme, hostname, and port. If <http://player.example> tries to request data from <http://content.example>, the request will usually fail. This prevents the unauthorized leakage of data to a third-party server. Without this policy, a script could read, use and forward data hosted on any web page. Such cross-domain activity might be used to exploit cookies and authentication data. Therefore, this security mechanism is definitely needed.