40

Dear CORS,

Fuck you.

Sincerely,
localhost:8080 connecting to localhost:8000

Comments
  • 5
    Fuck CORS, Fuck internet Security
  • 3
    Cors is super nice tho
  • 2
    At least if it's localhost you can just set the headers and be done with it though?
  • 9
    I have a feeling that the biggest problem with cors is that it's usually not properly explained from "what it's supposed to do" standpoint. And yeah, different ports, different servers.
  • 4
    @msdsk

    this exactly. It's a good standard that prevents a lot of simple kiddie attacks on top of some more devious ones...

    but fuck me, It took me a while for it to "click" at all. Once you understand why it's there and what it's trying to prevent you'll get better at anticipating where you might encounter problems with it and how to quickly avoid them. These days a wouldn't release a Be/Fe server without a properly configured CORS... you can just use a wildcard in most cases during local development but don't forget to switch it to your proper server afterwards, it'll work
  • 5
    I still think CORS should be disabled by default for a localhost host origin. Makes it impossible to get anything going without having to set up a web server
  • 3
    @12bitfloat localhost is not an exception to any other host. Localhost is just as dangerous.
  • 5
    @bagfox

    Not to mention it would cause a whole lot of "weird, it works on dev" issues
  • 2
    @bagfox In theory, yes.

    In practice, if localhost is dangerous, you have much bigger things to worry about
  • 2
    I created domain names for my company “local.company.com” and “*.local.company.com” which all points to 127.0.0.1. We CORS allowed that in all of our scripts.
  • 2
    @FinlayDaG33k correct. But you’re a dev, on a consumer pc, you can’t assume localhost is „safe“. Even if you have a virus, at least it can’t access your browser, which is like, the main thing for everything.
  • 0
    @bagfox If you have a virus that screws with "localhost", you should be worried about far, far more.

    Think about the fact that it could probably MITM literally every major site you visit.

    I mean, my local devstack has a valid SSL (only valid on my own machine ofc), so what is stopping the virus from creating and installing it's own RootCA, TLS certificate and hijacking your connections to begin with?

    And believe me, with all the mischief I have done in recent years, I can say this is far easier done than you think.
Add Comment