This HTML5 document contains 46 embedded RDF statements represented using HTML+Microdata notation.

The embedded RDF content will be recognized by any processor of HTML5 Microdata.

PrefixNamespace IRI
n26http://code.google.com/p/html5security/wiki/
dctermshttp://purl.org/dc/terms/
n14http://download.openlinksw.com/virtwiz/
atomhttp://atomowl.org/ontologies/atomrdf#
foafhttp://xmlns.com/foaf/0.1/
n27https://wiki.mozilla.org/Security/
n4http://vos.openlinksw.com/dataspace/services/wiki/
oplhttp://www.openlinksw.com/schema/attribution#
n2http://vos.openlinksw.com/dataspace/owiki/wiki/VOS/
n13http://vos.openlinksw.com:80/wiki/main/VOS/VirtTipsAndTricksGuideCORSSetup/oc5.
dchttp://purl.org/dc/elements/1.1/
n8http://vos.openlinksw.com/dataspace/dav#
rdfshttp://www.w3.org/2000/01/rdf-schema#
n20http://docs.openlinksw.com/virtuoso/fn_http_header.
n3http://rdfs.org/sioc/services#
n17http://vos.openlinksw.com:80/wiki/main/VOS/VirtTipsAndTricksGuideCORSSetup/oc4.
n25http://vos.openlinksw.com/dataspace/person/dav#
siocthttp://rdfs.org/sioc/types#
n16http://demo.openlinksw.
n15http://vos.openlinksw.com:80/wiki/main/VOS/VirtTipsAndTricksGuideCORSSetup/oc3.
n18http://docs.openlinksw.com/virtuoso/fn_http_request_header.
n9http://vos.openlinksw.com/dataspace/owiki/wiki/
n28http://arunranga.com/examples/access-control/
n21http://vos.openlinksw.com:80/wiki/main/VOS/VirtTipsAndTricksGuideCORSSetup/oc2.
rdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#
n29http://demo.openlinksw.com/
n7http://vos.openlinksw.com/dataspace/owiki#
n19http://vos.openlinksw.com:80/wiki/main/VOS/VirtTipsAndTricksGuideCORSSetup/oc1.
n31http://vos.openlinksw.com/dataspace/owiki/wiki/VOS/VirtTipsAndTricksGuideCORSSetup/sioc.
xsdhhttp://www.w3.org/2001/XMLSchema#
n23http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/
n12http://www.w3.org/TR/cors/
n33http://vos.openlinksw.com/dataspace/person/owiki#
siochttp://rdfs.org/sioc/ns#
Subject Item
n25:this
foaf:made
n2:VirtTipsAndTricksGuideCORSSetup
Subject Item
n8:this
sioc:creator_of
n2:VirtTipsAndTricksGuideCORSSetup
Subject Item
n4:item
n3:services_of
n2:VirtTipsAndTricksGuideCORSSetup
Subject Item
n7:this
sioc:creator_of
n2:VirtTipsAndTricksGuideCORSSetup
Subject Item
n9:VOS
sioc:container_of
n2:VirtTipsAndTricksGuideCORSSetup
atom:entry
n2:VirtTipsAndTricksGuideCORSSetup
atom:contains
n2:VirtTipsAndTricksGuideCORSSetup
Subject Item
n2:VirtTipsAndTricksGuideCORSSetup
rdf:type
sioct:Comment atom:Entry
dcterms:created
2017-06-13T05:41:46.101215
dcterms:modified
2018-10-22T10:08:16.700849
rdfs:label
VirtTipsAndTricksGuideCORSSetup
foaf:maker
n25:this n33:this
dc:title
VirtTipsAndTricksGuideCORSSetup
opl:isDescribedUsing
n31:rdf
sioc:has_creator
n7:this n8:this
sioc:attachment
n13:png n15:png n17:png n19:png n21:png
sioc:content
%META:TOPICPARENT{name="VirtTipsAndTricksGuide"}% ---+ Setting up server-side Cross-Origin Resource Sharing (CORS) with Virtuoso User agents (e.g., Web browsers) have traditionally restricted scripts within web pages by a Same Origin Policy, which allowed scripts to make requests only to resources within the same domain from which the scripts themselves originated. This restriction is meant to protect the user and their computer from "Trojan horse websites" which may appear to be safe, but which then make unsafe HTTP requests to other, invisible sites. This restriction also protects the second website from potential "Denial of Service" and other attacks, whether accidental or intentional. This policy has the unfortunate side-effect of also preventing client-side Web applications served from one website ("Origin") from retrieving data from another website ("Origin"). [[http://www.w3.org/TR/cors/][Cross-Origin Resource Sharing (CORS)]] is a mechanism intended to enable safer client-side cross-origin requests, primarily focused on data. %TOC% ---++How does CORS work? Authentication and session-management information methods are extended in several ways. * Enforcement by User Agent * A server providing a resource can include an <b><code>Access-Control-Allow-Origin</code></b> HTTP response header, with a value of <i>the request's triggering script's site of origin</i> (that is, the site which provided the script which made the request for the resource), to indicate whether access to the resource's contents may be allowed. The user agent validates that the value in this header matches the actual origin of the script which made the request. * User agents can use a "pre-flight request" to discover whether a cross-origin resource is prepared to accept requests from a given script origin, using a complex method (which we will not detail here). Again, the response is validated by the user agent. * Enforcement by Server-side Application * Server-side applications can refer to the <b><code>Origin</code></b> HTTP request header to discover whether the user agent deemed it a cross-origin request. Here, the server-side application enforces limitations (e.g., returning nothing, partial results, or full results) on the cross-origin requests that they are willing to service at all. ---++ CORS Setup for Virtuoso servers With Virtuoso 6 and later (specific earliest versions as noted below), CORS support may be configured at the server-level or enabled through application logic (scripting, PL, etc.). When working with older versions of Virtuoso, CORS support <i>cannot</i> be configured at the server-level, but it <i>may</i> be enabled within application logic (scripting, PL, etc.). ---+++ Server-level CORS Setup (for recent Virtuoso versions) <i><b>Note:</b> These instance/server-level configuration instructions require [[VOSNews][Virtuoso Open Source (VOS) 6.1.3 or later]], or [[http://download.openlinksw.com/virtwiz/][Virtuoso Commercial Edition 6.2.3129 or later]].</i> 1 In the Virtuoso Conductor, go to <b>Web Application Server</b> -> <b>Virtual Directories & Directories</b>. %BR%%BR%<img src="%ATTACHURLPATH%/oc1.png" style="wikiautogen"/>%BR%%BR% 1 Expand the default <b>Interface</b> store. %BR%%BR%<img src="%ATTACHURLPATH%/oc2.png" style="wikiautogen"/>%BR%%BR% 1 Click <b>New Directory</b>. 1 Specify the desired <b>Virtual Directory Type</b>, or choose an existing virtual directory to use as a template. %BR%%BR%<img src="%ATTACHURLPATH%/oc3.png" style="wikiautogen"/>%BR%%BR% 1 Click <b>Next</b>. 1 Specify the <b>Directory Path</b> value. %BR%%BR%<img src="%ATTACHURLPATH%/oc4.png" style="wikiautogen"/>%BR%%BR% 1 Set the <b>CORS options</b>. %BR%%BR%<img src="%ATTACHURLPATH%/oc5.png" style="wikiautogen"/>%BR%%BR% * <b>Cross-Origin Resource Sharing</b>: Contains a single wildcard asterisk, i.e., "<b><code><nowiki>*</nowiki></code></b>", or a space-delimited list of HTTP server URIs, e.g., "<b><code><nowiki>http://example.com:8080 http://blah.example.com http://foo.example.com</nowiki></code></b>". Scripts originating on the listed HTTP servers are authorized to retrieve the specified resource(s); the wildcard means scripts from <i>any</i> HTTP server will be authorized. For this example, enter the following single URI: <verbatim> http://demo.openlinksw.com </verbatim> * <b>Reject Unintended CORS</b> check-box: When ticked (and the application does not overwrite headers), unmatched Origins will be rejected by sending an empty response. For this example, tick this box. 1 Click <b>Save changes</b>. ---+++ Application-level CORS Setup (for any Virtuoso version) Any Virtuoso PL (VSP)-based application can implement CORS checking through well-known HTTP functions <code>[[http://docs.openlinksw.com/virtuoso/fn_http_request_header.html][http_request_header()]]</code> and <code>[[http://docs.openlinksw.com/virtuoso/fn_http_header.html][http_header()]]</code>. This method will work with any version of Virtuoso. For instance -- <verbatim> <?vsp IF (http_request_header (lines, 'Origin', NULL) = 'http://host.org') { http_header ('Access-Control-Allow-Origin: http://host.org\r\n'); } ELSE { RETURN; } -- Additional code here --- ?> </verbatim> Applications running in other hosted environments (Perl, Python, PHP, ASP.NET, etc.) may also use their specific scripting options to add and/or check relevent headers. ---++ Example Usage with cURL ---+++ cURL Example 1 1 Suppose the example setup above is performed, and <code>http://demo.openlinksw.com/ </code> is in the CORS list. 1 In this case, the request below will return an empty response: <verbatim> $ curl -i http://demo.openlinksw.com/mytest/test.vsp HTTP/1.1 200 OK Server: Virtuoso/06.02.3129 (Win32) i686-generic-win-32 VDB Connection: Keep-Alive Content-Type: text/html; charset=ISO-8859-1 Date: Thu, 28 Oct 2010 09:27:54 GMT Accept-Ranges: bytes Content-Length: 0 </verbatim> ---+++ cURL Example 2 1 Suppose the example setup above is performed, and <code>http://demo.openlinksw.com/ </code> is in the CORS list. 1 Also, suppose the curl command includes a proper Origin value, e.g., <code>-H "Origin: http://demo.openlinksw.com"</code>. 1 In this case, the request below will return a response including the retrieved content, etc. <verbatim> $ curl -i -H "Origin: http://demo.openlinksw.com" http://demo.openlinksw.com/mytest/test.vsp HTTP/1.1 200 OK Server: Virtuoso/06.02.3129 (Win32) i686-generic-win-32 VDB Connection: Keep-Alive Content-Type: text/html; charset=ISO-8859-1 Date: Thu, 28 Oct 2010 09:40:21 GMT Access-Control-Allow-Origin: http://demo.openlinksw.com Accept-Ranges: bytes Content-Length: 7 </verbatim> ---+++ cURL Example 3 1 Suppose the Example Setup above is performed, but reject is off (i.e., "Reject Unintended CORS" check-box is not ticked). 1 In this case, the request below will return a response that lacks <code>Access-Control-Allow-Origin</code>: <verbatim> $ curl -i http://demo.openlinksw.com/mytest/test.vsp HTTP/1.1 200 OK Server: Virtuoso/06.02.3129 (Win32) i686-generic-win-32 VDB Connection: Keep-Alive Content-Type: text/html; charset=ISO-8859-1 Date: Thu, 28 Oct 2010 09:45:01 GMT Accept-Ranges: bytes Content-Length: 7 </verbatim> ---++Related * [[VirtTipsAndTricksCORsEnableSPARQLURLs][Enabling Cross-Origin Resource Sharing (CORS) on a Virtuoso SPARQL Endpoint]] * [[https://wiki.mozilla.org/Security/Origin][Origin header proposal for CSRF and click-jacking mitigation]] * [[http://arunranga.com/examples/access-control/][CORS In Action]] * [[http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/][Cross-domain Ajax with Cross-Origin Resource Sharing]] * [[http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity][Guide to Secure Implementation of Cross Origin Requests in HTML5]] * [[VirtTipsAndTricksGuide][Virtuoso Tips and Tricks Collection]]
sioc:id
58709df51e604103f3b22cba66fe309c
sioc:link
n2:VirtTipsAndTricksGuideCORSSetup
sioc:has_container
n9:VOS
n3:has_services
n4:item
atom:title
VirtTipsAndTricksGuideCORSSetup
sioc:links_to
n2:VirtTipsAndTricksGuide n12: n14: n16:com n18:html n20:html n23: n26:CrossOriginRequestSecurity n27:Origin n28: n29: n2:VirtTipsAndTricksCORsEnableSPARQLURLs
atom:source
n9:VOS
atom:author
n25:this
atom:published
2017-06-13T05:41:46Z
atom:updated
2018-10-22T10:08:16Z
sioc:topic
n9:VOS