9

I hate CORS

Comments
  • 1
  • 0
  • 0
  • 2
    Basically you need to enable OPTIONS request at the server end for the same url as js would first hit that and continue and server end should have that... Also as a hack but unsafe practice as this is such a shit at the server end have Access-Control-Allow-Origin set to * so that all clients origin are allowed 😉
  • 0
    @groot I would try `Access-Control-Allow-Origin *` but I dunno how to do that on a lighttpd server ;(

    As of now, I'm working with local servers and websites so security isn't nearly as important ;)
  • 3
    I often disable them for local development buuut they're a security feature and disabling them is technically a bug, not a fix. (so if your framework has a CORS fix module that really ticks me off, not speaking to anyone in particular)
  • 4
    Sorry for potentially saving your ass
  • 0
    Could someone enlighten me? I have been trying ibm text translator api and have been getting a cors error on my ajax request
  • 3
    @dUcKtYpEd it’s allowed on any other web api services except ibm one, is this ibm server problem?
  • 3
    @dUcKtYpEd oh btw, it worked on backend, it just throws this error with ajax
  • 3
    @dUcKtYpEd, content cache is just one of the header I accidentally used. Now what I need to send is the authorization, but it throws the same error except with "authorization is not allowed" if I remove the content cache
  • 3
    @dUcKtYpEd I erased the token, sorry for not mentioning it. The backend are using net core it that matters
  • 3
    @dUcKtYpEd yes, I transfered from normal asp and I liked it already. Did you know any tutorial for net core connecting to sql without entity framework? Every site I found are using it and I don’t feel like learning it now yet
  • 3
    @dUcKtYpEd haha okay, I guess I’ll try it on my next free time. Got any tutorials that doesn’t skip the basic I could use?
  • 3
    @dUcKtYpEd also it worked if I created a web api with net core and requested it with ajax. So I should seperate my web services which is how I usually do it anyway
  • 1
    CORS suck.
    Best workaround so far: start chrome with the following options: --disable-web-security --disable-gpu
    This way it will ignore CORS and everything works.
  • 1
    What is this shit supposed to protect, if header can be set manually to 'Access-Control-Allow-Origin': '*'.

    Looks like they have created this crap just to make development harder, because otherwise I dont see how it can do anything useful.

    Can anyone tell any example on when CORS can really help, because so far I haven't read any reasonable explanation.
Add Comment