CORS

Cross-Origin Resource Sharing

Services →
Introduced in Rel-14

CORS is a security mechanism that allows web applications in one origin to access resources from a different origin, enabling secure cross-origin API calls for 3GPP network exposure functions.

Category
Services
Introduced
Rel-14
Where
Services › Codecs
Specifications
2 specs
CORS Description Purpose Related Detected Changes Specifications

Description

Cross-Origin Resource Sharing (CORS) in 3GPP is a security mechanism implemented within the Network Exposure Function (NEF) and Service Capability Exposure Function (SCEF) architectures to enable secure cross-origin HTTP requests. The mechanism operates through a standardized set of HTTP headers that allow servers to declare which origins are permitted to access their resources. When a web application from one origin attempts to access resources from another origin, the browser sends a preflight request using the OPTIONS method, which includes Origin, Access-Control-Request-Method, and Access-Control-Request-Headers headers. The server responds with Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Allow-Credentials headers to specify what is permitted.

The architecture integrates with 3GPP's network exposure framework, where the NEF/SCEF acts as the CORS-enabled server exposing network capabilities to authorized Application Functions (AFs). The mechanism works by intercepting HTTP requests from external applications and validating them against configured CORS policies before allowing access to network APIs. Key components include the CORS policy configuration database, origin validation module, header injection engine, and preflight request handler. These components work together to validate requests, inject appropriate CORS headers in responses, and enforce security policies defined by network operators.

CORS operates through a multi-step handshake process. First, the client application sends an HTTP request with an Origin header indicating its source. The server checks this origin against its whitelist and determines whether to allow the request. For complex requests (those that use methods other than GET, HEAD, or POST, or that include custom headers), the browser automatically sends a preflight OPTIONS request before the actual request. The server responds to this preflight with headers indicating which methods, headers, and origins are allowed. Only if the preflight succeeds does the browser proceed with the actual request.

The mechanism's role in 3GPP networks is critical for enabling secure third-party access to network capabilities while maintaining the same-origin policy security model. It allows network operators to expose APIs for services like quality of service control, location services, and network status monitoring to authorized external applications without compromising security. The implementation follows RESTful principles and integrates with OAuth 2.0 for authentication and authorization, creating a comprehensive security framework for network exposure.

Purpose & Motivation

CORS was introduced in 3GPP to address the security challenges of exposing network capabilities to third-party applications through web-based APIs. Before CORS implementation, network exposure functions faced limitations with the same-origin policy that prevented web applications from making cross-origin requests, forcing developers to use less secure workarounds like JSONP or proxy servers. These workarounds introduced security vulnerabilities and complexity in managing third-party access to network resources.

The historical context for CORS in 3GPP stems from the increasing demand for network APIs in the era of 5G and network slicing, where third-party applications need secure access to network capabilities. Traditional approaches required complex proxy architectures or relaxed security policies that exposed networks to potential attacks. CORS provides a standardized, secure mechanism that maintains browser security while enabling legitimate cross-origin requests, addressing the fundamental tension between security and functionality in network exposure scenarios.

CORS solves the specific problem of enabling secure communication between web applications hosted on different domains and 3GPP network exposure functions. It allows network operators to maintain strict security boundaries while providing controlled access to network APIs, supporting the business model of exposing network capabilities as services. The mechanism addresses the limitations of previous approaches by providing a standards-based solution that integrates with existing web security models and browser implementations.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (1 CRs across 1 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-14, normative work from Rel-16.

Rel-16 1 change

In Release 16, the CORS (Cross-Origin Resource Sharing) function was newly introduced to enable secure cross-origin requests for 5G Media Streaming (5GMS) APIs, specifically at the M1d interface for provisioning sessions. This was implemented through cumulative corrections and additions to the 5GMS3 APIs, including enhancements to the Metrics Reporting Configuration and procedures for uplink streaming. The updates also involved bug fixes and the introduction of an Annex for OpenAPI implementation to ensure standardized and interoperable API behavior.

  • Cumulative corrections of 5GMS3 APIs [CRs implemented: S4-201432: Cumulative corrections of 5GMS3 APIs, Ericsson S4-201305: Editorial corrections, BBC S4-201363: Additions and Modifications to M1 API on Metrics Reporting Configuration, Qualcomm S4-201622: Text on Procedures for Uplink Streaming, Qualcomm, Ericsson S4-201580: Correction of the missing SdfMethod type definition, Ericsson S4-201593: Correction of the missing CRUD operation notation, Ericsson S4-201594: Correction of the MediaPlayerEntry and ClientMetricsReportingConfiguration cardinality in the Service Access Information resource, Ericsson S4-201596: Correction of the Service Access Information subresource (URL), Ericsson S4-201597: Annex for OpenAPI Implementation, Ericsson S4-201595, Update Consumption reporting, Enensys Technology, BBC S4-201590: Bug Fixes on Metrics Reporting Functionality, Ericsson LM, Qualcomm Incorporated S4-201486: AF-based Network Assistance, Sony Europe B.V., Ericsson LM S4-201608: CR on AT Commands for RAN-based Assistance, Qualcomm Inc.] TS 26.512CR0004

Explore further

Broader topics and technologies where CORS plays a role.

Topics
SON (Self-Organizing Networks)Authentication (5G-AKA, EAP)MEC (Edge Computing)Lawful InterceptNetwork SlicingServices & Applications
Technologies
5G

Defining Specifications

3GPP specifications that define or reference CORS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 26.512 vj10 5G Media Streaming Protocols & APIs Rel-19
TR 26.957 vj00 Evaluation of MPEG DASH SAND for 3GPP Rel-19