Single Page Apps are ruling the world and AngularJS is leading the charge. But many of the lessons we learned in the Web 2.0 era no longer apply, and few are as drastically different as authentication.
CORS is an oft-misunderstood feature of new browsers that is configured by a remote server. CORS stands for Cross-Origin-Resource-Sharing, and was designed to make it possible to access services outside of the current origin (or domain) of the current page.
Like many browser features, CORS works because we all agree that it works. So all major browsers like Chrome, Firefox, and IE support and enforce it. By using these browsers, you benefit from the security of CORS.
That means certain browsers do not enforce it, so it is not relevant there. One large example is a native Web View for things like Cordova and Phonegap.
The way CORS works is the server decides which domains it will accept as clients. This means an open API like Twitter might allow any clients, or a closed API might decide to only allow access from the domain of the running client app.
I won't get into the details of configuring CORS on the server side, but it's really just setting some headers. Here's how you might do it in nginx.
If you use the standard $http service to access remote APIs, it will Just Work as long as the server is configured to allow requests from your domain.
But for many applications, we also need to set and store cookie information for things like logins. By default this is not allowed in most browsers and you'll be smashing your head wondering why the cookie information isn't being saved!
Enter: withCredentials.
Nice, but how do you set the credentials it should send with the HTTP header in Angular? I'm guessing enabling it, would require you to save them somewhere?