Learn More
Resend Email
2
lopu
2y

Explain to me why CORS isn't the dumbest thing I've ever heard of?

I can make requests from outside the browser but not from within? Hah?

rant

wut
Favorite
Ranter
Comments
  • 10
    2y
    You can, but that Shit piece of Javascript you embedded and was high jacked can't.

    That's the point.
  • 1
    2y
    @C0D4 but couldn't it just proxy requests through its own all origins allowed API?
  • 4
    2y
    @lopu The "problem" is the same-origin-policy (SOP), and the "solution" is CORS.

    And SOP is important. Let's say a user is currently logged into his online bank account and there is an API to request the last transactions - or anything else a user would like to keep secret. The user now visits another (malicious) site, with JavaScript using fetch() to call the banking site in the browser - the browser *automatically adds the cookies of the banking site to the call*. The request succeeds, but SOP prevents the malicious site to read the returned list of transactions.
    Additionally, SOP prevents "advanced" requests from even reaching a third party site - only form submissions (or JavaScript sending form data) and simple GET requests are allowed, although the result is never readable.

    Without CORS you would still have to use JSONP or do form-and-redirect-back flows (like OAuth) for every request in JavaScript to other sites.
  • 3
    2y
    outside requests won't automatically add cookies to your request, browser will, I won't prefer random websites making authenticated requests on my behalf.
  • 0
    2y
    Here's the previous CORS rant from a few days ago with quite some useful tech stuff: https://devrant.com/rants/5082028/...
  • 2
    2y
    TBH, took me a while to finally understood WHY we need CORS and how to properly use it.

    First time I run into corps problem, my reaction was the same : WTF that PoS ?! I can do requests just fine my self. Fucking chrome

    And then I read a bit, did some tests my self with my own server and without cors, take less than 30 mins to make a different page which will display data of the first page.

    I feel like there are 2 stages :

    CORS is shit (Not understanding the need)

    Nice, CORS, at least I don't need to worry XXXX requests attemp[ts
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment