Y is cors such a big issue 🤨 can't browsers just add a simple setting to enable or disable cors ? Atleast for local host, whats the rationale to have cors enabled 🙄

To learn that noone should stick his magic dick in your gateway. Not without permission.

To prevent malware from loading extra resources.

The problem with a simple setting is that social engineering then easily can lure the most susceptible users into disabling it and then their bank account can be hacked.

Security is unfortunately never easy and every one that thinks so either get burned them self or cause others to get burned due to bad practices.

And of course it has a rational. There are quite a few (local) applications that bind to localhost, but do not have any reasonable security at all. For this reason, there is currently a draft standard which further locks down localhost in webbrowsers.

And browsers have a command line flag for disabling SOP (but you really really really really really do not want to browse to any non-local website with it enabled).
There is no "simple setting" because a regular user does not how dangerous it would be.

There are Browser extensions to disable CORS, but only use it if you know what you're doing, it won't take long to get hacked if naive users disabled CORS.

Disabling is like setting Access-Control-Allow-Origin to asterisk.

Makes no sense, only worse.

And enabling Cors is simple.

Preflight / Options
Other HTTP Methods

Use a map in nginx or the Lua cors module in haproxy.

So certificate registries can monopolize the net and make fat cash.

@Wisecrack CORS has nothing to do with certificates.

@sbiewald DISREGARD the man pointing out my ignoran---I mean disregard the HERETIC!