Dear CORS,

Fuck you.

Sincerely,
localhost:8080 connecting to localhost:8000

Fuck CORS, Fuck internet Security

Cors is super nice tho

At least if it's localhost you can just set the headers and be done with it though?

I have a feeling that the biggest problem with cors is that it's usually not properly explained from "what it's supposed to do" standpoint. And yeah, different ports, different servers.

@msdsk

this exactly. It's a good standard that prevents a lot of simple kiddie attacks on top of some more devious ones...

but fuck me, It took me a while for it to "click" at all. Once you understand why it's there and what it's trying to prevent you'll get better at anticipating where you might encounter problems with it and how to quickly avoid them. These days a wouldn't release a Be/Fe server without a properly configured CORS... you can just use a wildcard in most cases during local development but don't forget to switch it to your proper server afterwards, it'll work

I still think CORS should be disabled by default for a localhost host origin. Makes it impossible to get anything going without having to set up a web server

@12bitfloat localhost is not an exception to any other host. Localhost is just as dangerous.

@bagfox

Not to mention it would cause a whole lot of "weird, it works on dev" issues

@bagfox In theory, yes.

In practice, if localhost is dangerous, you have much bigger things to worry about

I created domain names for my company “local.company.com” and “*.local.company.com” which all points to 127.0.0.1. We CORS allowed that in all of our scripts.

@FinlayDaG33k correct. But you’re a dev, on a consumer pc, you can’t assume localhost is „safe“. Even if you have a virus, at least it can’t access your browser, which is like, the main thing for everything.

@bagfox If you have a virus that screws with "localhost", you should be worried about far, far more.

Think about the fact that it could probably MITM literally every major site you visit.

I mean, my local devstack has a valid SSL (only valid on my own machine ofc), so what is stopping the virus from creating and installing it's own RootCA, TLS certificate and hijacking your connections to begin with?

And believe me, with all the mischief I have done in recent years, I can say this is far easier done than you think.

Cors acces * now shutup

CORS header ‘Access-Control-Allow-Origin’ missing

localhost is an DNS entry.

One with special meaning or better a certain expectation of what it represents, usually set in OS via hosts.

But- it's DNS.

And as we all know, DNS is a mother tugger....

An external DNS server must not set localhost to a local address, although it would be RFC XY compatible to do so.

And a host file must not necessarily be write protected... or even exist.

A local name resolver could completely ignore that.

Don't expect localhost to be a local IP address just because it's a common configuration, it can be totally bogus.

the fuck. the problem is not what it is or why it is. THe fucking problem is that cannot disable it for fuck sake!!! https://stackoverflow.com/questions...
this fucking shit does not work. Give me fucking way to disable it on nginx!!!!