Amazon Web Services (AWS) added support today for a browser specification that defines ways for apps to allow resources to be accessed by web pages from different domains. The practice is called Cross Origin Resource Sharing (CORS) and has been requested by AWS users for the past few years.
The new service represents another way that AWS automates tasks that developers once had to do themselves. We see this over and again fron AWS. They abstract arduous tasks so developers can focus on building apps.
Cross-scripting attacks have historically been used to inject client-side script into Web pages viewed by other users. According to Wikipedia, “CORS makes it possible to determine whether or not to allow the cross-origin request. It is a compromise that allows greater flexibility, but is more secure than simply allowing all such requests.”
According to Brr:
You can implement HTML5 drag and drop uploads to Amazon S3, show upload progress, or update content directly from your web applications. External web pages, style sheets, and HTML5 applications hosted in different domains can now reference assets such as web fonts and images stored in an S3 bucket, enabling you to share these assets across multiple web sites.
The thread on Hacker News about the news shows how much credibility AWS has with its developer community:
Finally, I won’t have to proxy s3 requests through my own nginxes.
I’ve pled for this feature in the AWS forum, over their commercial support (which I bought just to bug them about this), and to werner vogels directly.
More information about CORS on AWS is available here.