CORS

Cross-Origin Resource Sharing

Services
Introduced in Rel-14
CORS is a security mechanism that allows web applications running in one origin to access resources from a different origin. In 3GPP, it enables secure cross-origin API calls for network exposure functions, allowing third-party applications to safely interact with network capabilities while maintaining security boundaries.

Description

Cross-Origin Resource Sharing (CORS) in 3GPP is a security mechanism implemented within the Network Exposure Function (NEF) and Service Capability Exposure Function (SCEF) architectures to enable secure cross-origin HTTP requests. The mechanism operates through a standardized set of HTTP headers that allow servers to declare which origins are permitted to access their resources. When a web application from one origin attempts to access resources from another origin, the browser sends a preflight request using the OPTIONS method, which includes Origin, Access-Control-Request-Method, and Access-Control-Request-Headers headers. The server responds with Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Allow-Credentials headers to specify what is permitted.

The architecture integrates with 3GPP's network exposure framework, where the NEF/SCEF acts as the CORS-enabled server exposing network capabilities to authorized Application Functions (AFs). The mechanism works by intercepting HTTP requests from external applications and validating them against configured CORS policies before allowing access to network APIs. Key components include the CORS policy configuration database, origin validation module, header injection engine, and preflight request handler. These components work together to validate requests, inject appropriate CORS headers in responses, and enforce security policies defined by network operators.

CORS operates through a multi-step handshake process. First, the client application sends an HTTP request with an Origin header indicating its source. The server checks this origin against its whitelist and determines whether to allow the request. For complex requests (those that use methods other than GET, HEAD, or POST, or that include custom headers), the browser automatically sends a preflight OPTIONS request before the actual request. The server responds to this preflight with headers indicating which methods, headers, and origins are allowed. Only if the preflight succeeds does the browser proceed with the actual request.

The mechanism's role in 3GPP networks is critical for enabling secure third-party access to network capabilities while maintaining the same-origin policy security model. It allows network operators to expose APIs for services like quality of service control, location services, and network status monitoring to authorized external applications without compromising security. The implementation follows RESTful principles and integrates with OAuth 2.0 for authentication and authorization, creating a comprehensive security framework for network exposure.

Purpose & Motivation

CORS was introduced in 3GPP to address the security challenges of exposing network capabilities to third-party applications through web-based APIs. Before CORS implementation, network exposure functions faced limitations with the same-origin policy that prevented web applications from making cross-origin requests, forcing developers to use less secure workarounds like JSONP or proxy servers. These workarounds introduced security vulnerabilities and complexity in managing third-party access to network resources.

The historical context for CORS in 3GPP stems from the increasing demand for network APIs in the era of 5G and network slicing, where third-party applications need secure access to network capabilities. Traditional approaches required complex proxy architectures or relaxed security policies that exposed networks to potential attacks. CORS provides a standardized, secure mechanism that maintains browser security while enabling legitimate cross-origin requests, addressing the fundamental tension between security and functionality in network exposure scenarios.

CORS solves the specific problem of enabling secure communication between web applications hosted on different domains and 3GPP network exposure functions. It allows network operators to maintain strict security boundaries while providing controlled access to network APIs, supporting the business model of exposing network capabilities as services. The mechanism addresses the limitations of previous approaches by providing a standards-based solution that integrates with existing web security models and browser implementations.

Key Features

  • Origin-based access control through HTTP headers
  • Preflight request mechanism for complex cross-origin requests
  • Integration with 3GPP authentication and authorization frameworks
  • Configurable CORS policies for different API endpoints
  • Support for credentialed requests with cookies and HTTP authentication
  • Header validation and injection for secure responses

Evolution Across Releases

Rel-14 Initial

Initial introduction of CORS support in 3GPP specifications for network exposure functions. Defined the basic architecture integrating CORS with NEF/SCEF, established header requirements for cross-origin requests, and specified the preflight mechanism for secure API access. Enabled third-party applications to safely access network capabilities through standardized web protocols.

TS 26.512TS 26.957

Defining Specifications

SpecificationTitle
TS 26.512 3GPP TS 26.512
TS 26.957 3GPP TS 26.957