How to make sure your users appreciate your work

well that was insightful.

nixcraft being nixcraft.

i share your rant bro. (well, not actually because i don't use apple :D)

A client drove 3 hours, for a urgent meeting with me that was solved by me adding CORS-headers

from the comic series "saturday morning breakfast cereal".

Dear CORS,

Fuck you.

Sincerely,
localhost:8080 connecting to localhost:8000

behold! wk21 "it's like facebook but..." rants are coming.

NO FIREFOX AND CHROMIUM, I ALREADY SET THE FUCKING CORS HEADERS CORRECTLY ACCORDING TO THE OFFICIAL FUCKING NGINX DOCUMENTATION. WHY THE FUCK ARE YOU STILL DISALLOWING CROSS-ORIGIN REQUESTS?!

Accurate summary of CORS headers

"So, how bad is the current code base?"

Manager: I’m getting a strange error now….it says CORS? Any idea what that means?

Dev: Ezpz, just a matter of how many goats to sacrifice and incantations to recite

Manager: Are you serio—

Dev: Bring me my debugging pentagram

the new fanboy corner on my room wall :)

CORS is the most annoying shit ever seen...

Yesterday, my girlfriend caught a virus. There were 5+ running programs, in program files, program files x86, system32, basically everywhere. The virus modified chrome, firefox, edge (and even installed a false uc browser assuming we had one), there are many entries at startup programs, also running daemons, once you kill one of them, the others detect it and replicate their killed fellows. Tried to run a linux live usb disk for a cleanup, but the computer hibernates instead of shutdown, making modifications on disk risky.

I spent hours trying to suppress the processes, do a manual cleanup and antivirus search. It looked all cleaned up, then I reinstalled chrome, and now it switches its homepage everytime I open it, it also injects batch arguments to desktop link forum chrome (deleting it manually does not help, it comes back). I'm a linux guy, and in a few hours, I hated windows more than ever.

If anybody knows the authors, I *really* want to meet them. I promise I'm not going to punch them, but kneel down, bow my head in respect, and say "teach me master."

Insomnia: yeah, nice cors header
Postman: neat cors header mate

Fetch in browser: where the FUCK is the cors header you retard

FUCK YOU CORS

The most helpful error message of all time:

Unhandled exception in line 0: Script error.

Literally translates to: “Something went wrong but I’m not gonna tell you what.”

Fuck CORS man. Just fuck CORS

I fucking hate CORS. I mean yeah I get that it's for security and all but fucking COCKSUCKER is it ever fucking getting annoying dealing with this shit…

I HATE CORS I HATE CORS

*Creates a rest api that runs on localhost:8080*
*Creates React front end that runs on localhost:3000*
*Sends a GET request to api*
*Cross-Origin Request Blocked: The Same Origin Policy...*

Thats my fucking dev environment and its my local fucking host! Let me just send a fucking request to my own fucking machine you piece of shit! Why the fuck they didn't add an exclusion to fucking localhost?!?

“sEniOr tEcHniCiaN”: “I don’t know what Blazor is. I write my projects in ASP.NET. You should just use ASP.NET”

Me: …”Blazor *is* ASP. This project is running on ASP.NET 6.”

“seNioR tEchNiCiaN”: “As previously stated, I don’t use Blazor. I don’t care what version it is.”

Yes, this is a real exchange from my ongoing problems with this idiot.
His attitude is what ticks me off the most.
He doesn’t know what CORS is.
He doesn’t understand that “ASP.NET” covers Blazor, Razor Pages, the old MVC stuff, web APIs, and more.
He doesn’t understand the difference between a web request being initiated from the browser via Fetch and a web request being initiated from the server. (“My ASP site is shown in the browser, so requests to the third party API aren’t originating from the server.”)

And yet has the arrogance to repeatedly talk down to me while I try to explain basic concepts to him in the least condescending way possible.

After going around and around in circles with him, he finally admitted to me that “he doesn’t actually know what the CORS configuration looks like or how to modify it, to be honest.”

I just wanna go home.

In the Ruhr area (Germany) we have some very old, very strange words with strange meanings. One of those words is ‚Prutscher‘.
A Prutscher refers to a person who does things but never gets a good result, due to lack of knowledge or simple carelessness. Most of the time, Prutschers are people who are interested in certain subjects and often work in the related jobs, but who lack the motivation to properly train themselves, learn what there is to learn and to always keep up with their technologies .
Here are a few examples I've stumbled upon so far in my career:

- Developers in their 60's who read a book about PHP 25 years ago and decided to become a software developer. Since then haven't read anything about it. Who then now build huge spaghetti monoliths for large companies, in which they prefix every function, every variable and constant with their initials and, of course, use Hungarian notation.

- People who read half a fucking tutorial about <insert any fancy js framework here> and start blogging/tweeting about it

- Senior web developers who need to be told what the fuck CORS is and who can't even recognize CORS related errors in their browser console.

- People who have done nothing else for 18 years than building websites for companies on Wordpress 1.x and writing few lines of PHP and Javascript from time to time. Those who are now applying as a frontend dev due to the difficult economic situation and are surprised that they are not accepted due to a lack of experience.

- Developers who are the only ones working on Windows in the team and ask their Linux colleagues for help when Windows starts bitchin.

- People who have been coding for 30 years, have worked with ~42 languages ​​and don't know the difference between compiled and interpreted languages ​​in the job interview.

- Chief developers at a large newsletter-publisher who think it's a good idea to build your own CMS (due to a lack of good existing ones, of course).

- Developers who have been writing PHP applications for multinational corporations for 25 years and cannot explain how PHP is executed. They don't even know what the fucking OPcache is, let alone fpm. FML

- People who call themselves professional developers but never ever heard of DRY, KISS, boy-scout rule, 12-Factor App, SOLID, Clean Code, Design Patterns, ...

- Senior developers wondering why the bash script won't run on their fucking Windows machine.

- Developers who consider Typescript to be a hindrance and see no value in it.

- Developers using ftp for deployments in 2022

- Senior Javascript Developer applying for a job and for whom Integer is a primitive data type in JS.

- Developers who prefer to code without frameworks and libraries because they are only an unnecessary burden/overhead and you can quickly code everything up yourself.

- Developers who think configuring their server(s) manually is a good idea.

You fucking Prutscher. What you have already cost me in terms of work and nerves. I can't even put it into words how deeply I despise you. I have more respect for the chewing gum that has been stuck in my damn trash can for the past 3 years than I do for you guys. You are the disgrace of our profession. I will haunt you in your dreams and prefix every fucking synapse of your brain with MY initials.

As a well-known german band once sang in a very fitting song: I wouldn't even piss on you if you were on fire.

If you recognized yourself in one of the examples here: FUCK YOU!

i rant that i live in a dictatorship with an idiot president who bans whatsapp and facebook to prevent protests (in reaction to having arrested opposition party members of parliament), and github (yes, github) to prevent the spread of a minister's leaked e-mails. now the government is seriously considering shutting down vpn services to prevent by-passing the bans.

on the other hand, it's a nice time and place to continue ms studies on ad-hoc networks - that is of course if i can avoid being arrested or killed before i even start my thesis.

that feeling when your new toys from aliexpress get delivered earlier than expected... i feel so happy unpacking those sensors, capacitors, heat sinks, microchips, breadboards and all. i feel like i have a geeky shopping addiction, i probably won't have the time to play with them from all the work and other personal projects, but still i hoarded enough electronics to invade the world with a drone army in case i have a few weeks me-time.

CORS sucks. That's all I wanted to say.

'yes' in linux shell has become my favourite command when i discovered it. it has a careless touch to it, like "yeah whatever just do the thing".

also, i like glutMainLoop. a saw doll inside my head says "let the game begin!" each time i type this function.

packet received. thanks for all the fishes.

I hate CORS

maybe it's time feature is added for devrant simple community dev projects. there could be games, parody websites, you name it. projects could be hosted on github, and indexed at a "projects" tab here on devrant, so we can choose something and start rolling with our pals from devrant when we get bored at work :) @dfox (inspired by rant from @Notebookdeviant)

oh what a fine young mkfs. thank you my dear, have a nice day yourself.

didn't anyone go for the "#define true false" joke? i didn't actually see it in action, but it would be a pretty harsh one.

So, yet another "senior" web developer employed by my contractor who utterly fails to understand CORS.

I mean, easy enough to config their servers to provide the headers. A good and quick buck.

But I swear the level of idiocy I find in so called "seniors" infuriates me. I swear, he didn't even figure out that

A) you can't make the browser omit the Origin header.
(But it works on curl 😭😭😭)

B) it's the *server* who must include access-control-allow-origin in the response, not you in the request. Like, what use would that be? I don't even...

😞

I guess if I ever need to hire web devs again my only question during the interview will be "explain CORS to me".

My nightmares are made of CORS errors.

Fuck inconsistent CORS implementations across browsers.

Everyone who is about to say "Once you understand CORS it's not a problem anymore".
FUCK YOU TOO!!!!!!!

I don't know what you did yesterday, but i did make my company throw away 2 months of progress.
It all started in the beginning, since that i've made numerous complaints about the workflow or code and how to improve it. I've been told off every time, and every time i either told the boss who agreed in the end or wrote code to prove myself. Everything was a hassle and my tasks weren't better.
Team lead: you'll do X now, please do that by making Y.
Me: but Y is insecure, we should do Z.
Team lead: please do Y
Later it turns out Y is impossible and we do Z in the end...
Team lead: please do W now
Me, a few days later: i've tried and their server doesn't give http cors headers, doing W in the browser is impossible
Team lead, a few days later: have you made progress on W?
Me: * tells again it's impossible and uploads code to prove it *
Team lead: * no response *

After that i had enough. Technically i still was assigned to do W, but i used my time to look over the application and list all the things wrong with it. We had everything, giant commits, commented out code, unnecessary packages, a new commit introduced packages that crashed npm install on non-macs, angularjs-packages even though we use angular, weird logic, a security bug, all css in one file even though you can use component-specific css files...

I sent that to my boss, telling him to let the backend-guys have a look at it too and we had a meeting about this. I couldn't attend but they agreed with me completely. They decided to throw away what we have already and to let one of the backend-guys supervise our team. I guess there will be another talk with the team lead, but time will tell.
It feels so good having hope to finally escape this hellish development cycle of badly defined task, bad communication and headache-inducing merges.

Cors...

You know something isn't right when you look at your CI/CD dashboard and see this:

Backend API developer that doesn't admit his mistakes. Damn, he's annoying the whole team.

Basically crashed the whole app by messing up the settings for the CORS policy, and still doesn't admit it. When he fixed it, the only reply we get was "I erased the thing and put it back and it works".

WOW!

I'm learning nginx and it's simplying the way I think about web projects.

I used to think that when I used a server side framework, then that should be the master and all should go through it. Noob me.

I used to put client side projects (like create-react-app of vue-cli projects) right inside the server side project.

But with nginx you can just route subpaths to different places, then instead of having, let's say, the react project inside rails, they would be in separate git projects.

In fact, I no longer need to restrict myself to a single server framework.

I love several aspects of rails. I love several others of node. And if I need multithreaded performance, I'd very much use something like phoenix or go.

Again, with nginx, you setup subpaths with the `location` directive in the same server and voila, a no CORS setup, cookies shared and homogenous versatile website.

Holy shit firefox, 3 retarded problems in the last 24h and I haven't fixed any of them.
My project: an infinite scrolling website that loads data from an external API (CORS hehe). All Chromium browsers of course work perfectly fine. But firefox wants to be special...
(tested on 2 different devices)
(Terminology: CORS: a request to a resource that isn't on the current websites domain, like any external API)

1.
For the infinite scrolling to work new html elements have to be silently appended to the end of the page and removed from the beginning. Which works great in all browsers. BUT IF YOU HAPPEN TO BE SCROLLING DURING THE APPENDING & REMOVING FIREFOX TELEPORTS YOU RANDOMLY TO THE END OR START OF PAGE!
Guess I'll just debug it and see what's happening step by step. Oh how wrong I was. First, the problem can't be reproduced when debugging FUCK! But I notice something else very disturbing...

2.
The Inspector view (hierarchical display of all html elements on the page) ISN'T SHOWING THE TRUE STATE OF THE DOM! ELEMENTS THAT HAVE JUST BEEN ADDED AREN'T SHOWING UP AND ELEMENT THAT WERE JUST REMOVED ARE STILL VISIBLE! WTF????? You have to do some black magic fuckery just to get firefox to update the list of DOM elements. HOW AM I SUPPOSED TO DEBUG MY WEBSITE ON FIREFOX IF IT'S SHOWING ME PLAIN WRONG DATA???!!!!

3.
During all of this I just randomly decided to open my website in private (incognito) mode in firefox. Huh what's that? Why isn't anything loading and error are thrown left and right? Let's just look at the console. AND IT'S A FUCKING CORS ERROR! FUCK ME! Also a small warning says some URLs have been "blocked because content blocking is enabled." Content Blocking? What is that? Well it appears to be a supper special supper privacy mode by firefox (turned on automatically in private mode), THAT BLOCKS ALL CORS REQUESTS, THAT MAY OR MAY NOT DO SOME TRACKING. AN API THAT 100% CORS COMPLIANT CAN'T BE USED IN FIREFOXs PRIVATE MODE! HOW IS THE END USER SUPPOSED TO KNOW THAT??? AND OF COURSE THE THROWN EXCEPTION JUST SAYS "NETWORK ERROR". HOW AM I SUPPOSED TO TELL THE USER THAT FIREFOX HAS A FEAUTRE THAT BREAKS THE VERY BASIS OF MY WEBSITE???

WHY CAN'T YOU JUST BE NORMAL FIREFOX??????????????????

I actually managed to come up with fix for 1. that works like < 50% of the time -_-

Dev nightmares :

- Not finding bug fix on stackoverflow/GitHub .

- Losing code that hasn't been pushed to GitHub.

- Dealing with an unclean and inconsistent database.

- Installing Node Dependencies.

- Resolving CORS and 500s.

- Training a Linear Regression Model with 700 epochs on an entry-level Laptop.

Keep appending to this list.

#devrant #devnightmares

CORS. How the fuck could it be so hard to get right?

I actually never felt the need to scream at a co-worker so let's talk about that time a co-worker screamed at me instead.

tl;dr : some asshole boss screamed and threatened me because someone else's project was shit and didn't work.

Context: I was in my third year of school internship (graded) and my experience is C, C++, C#, Python all in systems programming, no web.

I was working as an intern for a shit company that was selling a shit software to hospitals (though not medically critical, thank God) the only tech guy on site was the DBA (cool guy) the product was maintained by a single dev in VB from his house, the dude never showed up to work (you'll understand why) and an other intern who couldn't dev shit.

I was working with the DBA on an software making statistical analysis from DB exports, worked nice, no problems here if we forget the lack of specs or boundaries (except must work in ieShit).

The other intern was working on something else (don't ask me what it is) I just remember it was in GWT before the community revived it. His webapp was requesting the company http server for a file instead of having one of it's java servlet to fetch it (both apps ran on sane server) which caused a lot of shit especially CORS error. That guy left (end of contract) and leaves his shit as is, boss asked me to deploy the app, I fiddle with it to see if it works and when I find out it doesn't then that asshole starts screaming at me in front of every other employee present, starts threatening to burn me in the tech world and have me thrown out of my school for no goddamn reason than the other dude's project doesn't work.

After the screaming I leave and warn my school immediately.

I guess that's why the other dev never came to work.

I had three weeks of internship left, that I did from home and worked probably less than 2 hours a day so suck it asshole.

Still had a good grade because I was reviewed by the DBA and he was happy with the work I did.

It was only later that I realized that what he did was categorizing as harassment (at least in France) and decided that never again this would happen without a response from my lawyer.

Was getting CORS errors for no reason.
Realized the extension HTTPS Everywhere was the problem

The web is just a fucked up place. Anytime i have an idea and wanna slap together an mvp, i always feel like web standards are just made by people who have no professional training and once every year come up with some bullshit so they dont get fired.

Figure 1: cors
You wpuld think that setting "access-control-allow-origin" to * would let, well, * through, like in every other field of programming, but no, make sure all 97 other headers match or you will just get a cors error. The server expects application/json and you didnt specify that? Fuck you, have a cors error. Both express and flask have specific packages addressing this one problem so i guess im not the only one.

Figure 2: frameworks
Remember reactive programming? Remember rxjs? No you dont because all frameworks reimplement rx with shadow dom fuckery. Did you know you can have your fucking templates with 5 lines of rxjs code? Amazing huh?

Figure 3: php
It still exists for some reason.

Just found I can bypass CORS / Same-Origin-Policy with anyorigin or crossorigin in Javascript.

Now I can easily scrap motivational quotes, Hell Yeah.

* btw I am building random quotes generator but want to generate quotes with web-scraping *

If I had a penny every time I explained CORS of browsers to tenured J2EE, who just knows ie as a browser, I would be millionaire by now.

Fuck CORS.
Three hours into trying to make it fucking work... YES BROWSER I ALLOWED ALL ORIGINS WHY DONT YOU WORK 😭😭

Started new job at startup and finished all the development environment setup started development it was going smooth for one week.all the created API were working fine on the next day morning without any changes API's were giving cors error.asked my senior what must be the problem he said bypass cors and figure out the problem after trying for 1hrs i couldn't figure out what was the problem but API's were back to normal without any changes. then after sometime same day in zoom call i asked what was the problem he said show me the error but I couldn't reproduced the same cors error he then lectured me for 1 hrs and after that he said that learn to solve by your own dont come with silly mistake like this to me.
I don't know what was the problem he even refused me show to what the problem was.

I spent hours trying to enable CORS on AWS Lambda through API gateway (it was supposed to be simple and Amazon had a nice tutorial) but it turns out that there's a known bug that makes Lambda Proxy Integrations not adhere to any setting in the API Gateway, you have to respond with the headers through the Lambda yourself.

Amazon now mentions this in the tutorial, but if you click "Enable CORS" in API Gateway, it'll show you green check marks and tell you that everything went fine, but you'll find that the Lambda does not respond with the CORS headers. They shouldn't even have "Enable CORS" as an option when you use their Lambda Proxy Integration.

How come something works absolutely perfectly in dev but not in prod?
I was making a desktop app in election js and everything is working perfectly. No problem at all. But then I create the installer/distributable and nothing shows on the screen. And out of curiosity, I wanted to see the error log and it shows an unknown error, I didn't even know from what thing the error is being generated. And after I fixed that, another problem came with Asana Api. I mean, if it's a public API, why do you have to block it with cors? I hate cors!
And after all of it, there's more to it. I mean, why can't you just show the errors in dev?

This is an anti-rant...

I had a problematic arch-dwm setup which i've been struggling with for a looong time, and when i thought i still needed quite some time to solve all issues, yesterday i somehow managed to hit the right solutions for each problem in a single evening. My setup is now in its most stable and usable state ever, and rsynced to a flash drive. I am no longer forced to use windows for my daily needs.

Praise be to holy gnu and holy tux! Do you think maybe i should sacrifice some electronics for the souls of st. ritchie, st. thompson, st. stallman and st. torvalds?

Does web development and CORS count as a burnout haha

i found this beauty on diaspora (in tribute to the comic artist frank franzetta)

p.s.: i asked the artist if i can use it here, but got no replies. i hope it won't be a problem for him/her.

I hate CORS

CORS is shit
Stupid useless shit that protects from nothing. It is harmful mechanism that does nothing but randomly blocks browser from accessing resources - nothing more.

Main idea of CORS is that if server does not send proper header to OPTIONS request, browser will block other requests to that server.

What does stupid cocksuckers that invented CORS, think their retarded shit can protect from?
- If server is malicious, it will send any header required to let you access it.
- If client has malicious intents - he will never use your shit browser to make requests, he will use curl or any ther tool available. Also if server security bases on something as unreliable as http headers it sends to the client - its a shit server, and CORS will not save it.

Can anyone give REAL examples when CORS can really protect from anything?

Just found out the reason for these extremely useless "Script error." errors we're getting being so useless is, once again, CORS. 😡

"Hey, something went wrong in an iframe. I'm not allowed to tell you what went wrong, or where, but trust me some shit is broken *somewhere*. But you have to figure it out yourself."

If cross-origin blocking were a person I'd kick him in the nuts just for being such a fucking dick all the time.

Found an issue on Medium.com as I was not able to comment on some stories.. after some followups I found that it is because of CORS... they stopped responding after I responded with the reason. :(

please stop fucking "Access-Control-Allow-Origin: *"

proxying youtube

today I thought writing a quick project, a youtube proxy server, as in, you browse localhost:<PORT> and youtube comes in the response.

this is not rocket science as proxy servers have around for a long time.

I thought it'd be interesting to code it in userland, as opposed to "systemland".

And 50 lines of code and some minor hurdles later I see youtube "running" in localhost.

Although youtube didn't just work as usual since the videos don't actually come from youtube.com, but from googlevideo.com instead. And my browser, expectably, enforces CORS and forbids any requests to it.

At that point I started to think of ways to somehow proxy googlevideo.com too. But the solutions are not at all trivial.

Then I thought what was the payoff of all this. I tried to proxy serve youtube out of curiosity, and sure thing, you can do it.

But what problem would proxying youtube solve? Maybe I should think in a fuller way what are the problems I have with youtube.

One issue I have is the exposure, discoverability. To explain it, let's say I have been watching a very, very big amount of videos as of today.

Personally I would expect youtube to understand very well by now what my tastes are, what do I want to watch and what I do NOT want to watch.

Notice that I am very black and white, and I do not have much interest in watching certain types of videos.

It could be true that if my expectations of how youtube should work became reality then youtube recommendations would become polarizing or echo chambering.

But that is my decision though, and the problem with youtube is that it's seemingly forcing a single recommendations algorithm onto everyone.

Some people are more open minded and want to watch EVERYTHING, and a lot of people don't.

But users aren't deciding what they should get recommended. Youtube is making that decision for them. And it sure feels like it's trying to maximize ad revenue.

I for one don't give two flying fucks about pranks or diva youtubers. Yet youtube is adamant in presenting some of these to me.

Now, trying to come up with a solution for this is really non trivial. It would definitely require some youtube mining, or some kind of network so as to not get rate limited when mining, and even then you still have to think of how a good recommendation system would work.

I think the implementation of all that would be too much for me (time and skill wise). But I think it's fun to at least try to outline how recommendations could work.

I would very much prefer that when youtube recommended something, at least it has some number of confidence meaning how much would I like that video, so at least I know what to expect.

It should also have some indicators like what is the mood of the video. As in, sometimes I watch youtube in the mood of learning, like programming videos, but most of the time I watch to get entertained.

These ideas are just brainstorms and could be terrible on reproduction, but I'd like to hear what ideas can some of the people here can come up with.

"rose" of alphonse mucha is my favourite desktop item for the time. she watches over me as i code at home.

Question: Does using cookies for user session handling hinder the scalability of your backend because all the API's have to live on the same domain. Basically if one API starts to get a lot of request and you want to add another server to off balance the load you would have to add an entire webserver rather than just a small micro webserver with the API running on it mainly because cookies are used to authenticate user request and cookies don't survive CORS request. Am I right or don't know what the hell i'm talking about lol need some opinions I suggested we make all API's micro services and use JWT for user sessions

cors, really don't have time to fuck around today

Couldn't figure out for the life of me why axios wouldn't ping to the server. Turns out the CORS policy didn't like this. Two fucking hours, man.

Develop all my lambda function, create endpoint for what i need, set up CORS to * time of development... And chrome fuck me with CORS preflight ERROR. What the actual fuck with this shit security easily bypassable...

Me: its enough for today. Change project folder 😐

in the workplace, i have no access to internet, am not admin to my own computer and am not allowed to install anything (due to security reasons). i also happen to have quite some spare time so i'm writing nokia's good old snake game in visual studio and opengl so i can amuse myself both coding and playing. in a way, company pushes creativity and productivity even for slacking.

Created a docker stack that can run on a swarm, tried out an actor system framework with a really nice message passing interface, used a web server framework built on that actor framework, used a really cool ORM that relies heavily on code generation, did some experimenting with Alpine Linux, and re-learned for the 100th time how to deal with CORS

It gets fucking old, yet it always keeps coming back like Christmas.

If I had a fucking euro each time a CTO asks me why they need CORS and TLS to use webrtc (even on LAN??!1! 🤯), I'd be fucking rich.

At least this time the time I wasted explaining it again was paid for at a much higher rate...

IIS curse you and your nuances!

I launch my local web application (which was working fine) and now get CORS errors and 404 not found. Wtf. I clean the solution rebuild, same thing. Then I restart my PC and try again. Same thing.

Then I use Firefox instead if chrome and it magically works. Wtf!

It's hard to fix broken things when they fix themeselves afyer trial and error

CORS in Web Development: useful Bastards

I don't know whether to hate or love them

The jolly of unriddling multiple DNS zone overrides to a static, single IP of a HAProxy loadbalancer which acts as a router and has domain based backend association rules, but frontend based CORS overrides.

My eyes are bleeding, my brain is defeated and I think I need more gaffa type to put together the pieces of what some puny humans call a soul.

RPG
(Guild Wars 2, Diablo3)

After waiting a while for another programmer on another team to provide a web service that I needed to call from a client side web form, I received word that it was ready. I could not get it to work because CORS headings were not being set correctly. After contacting them and letting them know, I got an email update to the team letting everyone know that they were waiting on me. After explaining that CORS headings were not there, I just built a PHP page to proxy the request, results and set the headers correctly so I can move on. I will remove it when they get their side fixed... if they ever do.

Spent debugging for weeks, then found that error was I didn't add my header name in Access-Control-Request-Header option........COOOOOOOOOOOORS!!!!!

Is anyone else having troubles loading github ?

I opened the console and saw their css was being blocked by CORS :D

I have implemented RESTful API using expressJS, and another React app which will use the API's to fetch data.
I'm getting a problem of Allow-Origin Header.
what's the proper way of calling a API ?

do I use a CORS middleware and allow all origin ('*') and use Api-key as way of check authorization to prevent mis-use. ?
any other tricks ?

Fetch API gives CORS error..

Then I use JQuery AJAX request and it works fine...? 😑

Can you even handle CORS requests with Fetch?
🤔

Urgh.. the amount of things you have to know as a developer.. it can get stressful and frustrating sometimes when (in-depth) technology knowledge is demanded from you (for instance, for a job position)..
It's like being a doctor, being a lifelong student.

A few examples of what I had to know during my career:
Java, .NET, Python, PHP, JavaScript/HTML5/CSS3, Sass/Less, Node.js, ReactJS, AngularJS, Vue.js, Cordova, Ionic, Android, design patterns, SOLID, databases (design, implementation, administration, both NoSQL and relational,..), deployment tools (Octopus, Jenkins,..), VCS, CI/CD, HTTP, networking, security (OAuth2, CORS, XSS, CSRF,..), algebra, algorithms, software testing, profiling, Linux, Unix, Windows, MS Office (advanced mail filtering,..), ITIL, IT Law (licensing and its implications when choosing a product, distribution right,..), server architecture,..

Sure yeah, I know, I've studied all that at university but.. it's been too long (almost a decade now). I have to revisit that knowledge.

Spent about 40 minutes trying to figure out why my stupid events were not tracked, something about CORS

so digged into the htaccess file and added the correct headers but the header value was being appended although i was setting it.

So I figured the "tool" i am using is setting it too but only when I set it, that was weird.

So on to to its github I went, someone mentioned there is a CORS setting in the UI, so I added the domain i wanted to allow and done, it fucking works.

Read the documentation kids, sometimes it is useful.

this is a repost organization post. each time you are going to post a classical joke, please find it from items below, and write as comment, the number of the repost. and people will give you ++'s to your comments as if you actually reposted the post. also, feel free to make additions to the list. syntax is:

"(n): [repost context]" for a new item (please do not mess with the order)

"-- [n]: [personal comment]" for simulating the repost.

here we go:

(0): the comic strip about rescuing princesses in different languages.

(1): in case of fire git commit, git push, leave the building.

(2): wanna hear a udp joke? i don't care if you get it.

(3): that joke about java devs wearing glasses because they can't c#.

--------------

An example repost:

-- 0: omg princess lol :)))

OK I need some help. I need to make sure I’m not losing my mind.

We are using an ERP which is hosted by another company. We are supposed to be able to access the data via a REST API. This works fine using Insomnia or Postman, but when I attempt to hit the API from my web application, CORS blocks the localhost origin.

I contacted the company’s technical team to request that they change the CORS configuration to allow localhost. They keep running me around in circles telling me that I don’t know what I’m talking about because localhost isn’t a DNS resolvable name and I’m doing something wrong and they don’t need to change any configuration.

They insist that if anything would need white listed, it would be my IP, not localhost.

I sent them screenshots and stack overflow posts and documentation links, showing them exactly what headers need to be set and where the configuration needs to be set in the ERP. They tell me I don’t know what I’m talking about.

They tell me that if I can hit the API from Postman, I can hit it from my browser.

Am I losing my mind? Have I fundamentally misunderstood CORS all these years? I’m sure I’m right. But I’m starting to feel like I’m crazy.

Today I had a CORS error in production, noticed 1 hour in that I accidentally wrote "localhost:5000//API/*"

1 hour, for a extra slash.

What the fuck is CORS, I can type the URL into my browser and download the file, but running a HTTP request from within a page is denied? Wtf kind of dumb no logic behaviour is this

I don't care about CORS, I really don't. Could it possibly be any more inconvenient and time consuming? I really don't think it could.

It's made on the assumption that everything you are doing has the same security needs as a secret military project, splendid.

my 4th gen. amazon kindle has been one of my favorite work buddies so far. i spend most of my midday breaks with it, kept me pretty good company so far.

Motherfucking peace of shit....
Dont know to whom I should direct this to .

Was creating a new login page for web app using Quasar(vue.js). Since my application have 2 different types of user, which also have different UI, and functionality.
One is written in vanilla ( and is quiet heavy) and the other one in vuejs ( though earlier it was written in vanilla too ). Login page too was written in vanilla which was working fine.
Now just yesterday I finished a prototype for the third type of user, which is also written in vuejs. Now I decided to re create login page using vuejs. Quiet small and easy to do. Finished it yesterday itself. Now since today's morning I am trying to configure it so that it this piece of shit just let me log in. It was authentication and verifying but not letting me log in.
( On server after authentication, I set cookies/token on clients browser and auto reload the page, so during next request to server/ or during reload, server will read the cookie/token and send the specific admin panel to user)

Prick. Dick.
It was setting cookie, but not at the '/' path. Mother fucker.
It was setting cookie to the path I was sending login credentials ( which was different from '/', I.e.- /login/verify=password )
So it was setting cookie/token at '/login/verify=password'.
Even tried setting path for cookie at server. Read everything on internet. MF nothing worked. All I came across was, 'this is CORS' .... 'this is CORS'. Assholes, if it were CORS', how then I am able to make request to server and getting response without error

Only a hour ago, when I made get request to '/login/verify=password' I figured out, cookie is being sent to server for this path only. Then did some changes at server, so to send login credentials to '/'. Now that shit is working

Fucking waste of time. Wasted more than 6 hours. Asshole.

Btw, if you can suggest a better way to login, then please.

ITS PUBLIC OKAY

CORS errors on AWS API Gateway just might be the bane of my existence.

I never understood why there are screenshots of commits being like test, test2, does it work now? or WORK YOU SHIT..

..until i tried to gitignore stuff a bit more specific while gitkeeping folders and deploying shit relying on CORS.😂

* le me develops endpoint using serverless on AWS Lambda, forgets to enable cors *

Le front end dev: Your endpoint doesn't work. Gives me cors error.
Me: but that works on POSTMAN

le front end dev: We are not shipping it with postman.

*fml*

YELP API you piece of shit, why i can't fetch form client side???

CORS, fucking CORS everywhere

does anybody here use diaspora*? for those who don't, it's a free (as in freedom) social network and protocol thereof, and it employs a decentralized, distributed approach. you can choose a "pod" to store your data, and search for people and content inter-podly. as a decentralization/distribution/foss enthusiast, i love the project and check regularly, but sometimes i get the feeling that i'm all by myself there, as i have no friends yet and all the content i see is just my followed keywords. (so befriend me, maybe? :D)

Opinions

Hello, I’m considering building a web framework.

My ideal features would be:
Customizable authentication system(considering using a jwt lib)
Embedded DB(bolt db)
ORM( writing my own)
REST api to DB (via code generator)
Code generator(generation of models and views via cli)
GUI to db(some admin dashboard)
CORS(web service right?)

Why?
Ease of development
Fast prototyping of small-medium web services.
Fun.

My question is, do i have to many things on my platter? Should i narrow it down into less featured framework? What feature should I focus on? How should i benchmark it? Should i write tests for absolutely everything or just for exported methods? What should i take into consideration when developing ORM API, Auth API...

The language is Go

Thank you for your input

We need to create simple form for colection few particular people data for some bounty programme.

We have ready-made website that does similar stuff, but it was outsourced and we have compiled javascript (sidenote - im only person in this place who understands f**ng javascript but hates it deeply)

Anyway, they come to me, and say that creating this google doc will take them few minutes and it seems that editing few divs in the site and creating second one with another subdomain will do the trick.

I tell them that it will take a lot of time to reverse engeneer that compiled react.js website to change few divs. But they insist.

So we start out, I pop up the terminal, copy over site, add nginx config for it, apply SSL to it, we are already good 5-10 minutes in, first roadblock - CORS. At this point I tell them that with google form they would be already done.

What I hear?
But we will need to make again privacy policy

Me:
Can you just link privacy policy from this site?

They:
Oh... it makes it easy now.

My internal voice:
next time try to use brain....

The CORS implementation has made the web overall less secure. It insists on the 99% pain in the ass solution rather than the 98% easy to use solution. So what happens? People work *around* it a lot, and that degrades web security overall.

Had *.mydomain been available as a header value, it would have been fine. Update your CORS headers? Good luck when your users' browsers have a cached copies of the old headers. Instant CORS violations.

unigine sim engine has the worst documentation i've ever seen. it was written in bad english, occasionally did not follow a word convention (i.e. functions doing analogous work used different keywords), most items were just reiterations of function names (made up example for clarification: getAngularVelocity(): gets angular velocity...). i had to use it for my first ever job, and had to learn in from scratch, mostly by trial and error. it's been months since i switched jobs, and they were rolling a version 2 when i left, i hope they improved on their docs.

Damn CORS! Spent 4hrs googling! Alas! I can move forward. Because of that I can say I understand what cors for.

i got a dev!rant nostress ball, because i didn't have any serious rants and used the app for fun purposes.

edit: do you think maybe it can also help in debugging, although it's nothing close to being a duck.

rust anyone? i am a c++ person, and it caught my attention as having an oopish-but-actually-functional new programming paradigm whatever... also (don't know if it's just mozilla's successful marketing) i had the impression that people see it as the new whiz kid in town. do you recommend indulging in it for the sake of trying something new?

on a 5 day rock festival vacation... a band with songs i barely know is on and i'm a bit high... there's a cool set of animations playing at the stage background and i spent the whole concert trying to figure how i could write each animation in opengl. i'll give them a shot back home, if i don't forget.

If you want the ridiculous behavior “required” by POSIX, you must set the environment variable ‘POSIXLY_CORRECT’ (which was originally going to be named ‘POSIX_ME_HARDER’).

You just read a line from GNU's official coding standard document :D

i just learnt how much clearcase sucks the hard way. i always used git for personal projects and am used to finding a simple solution to any problem at most one stackoverflow away, i just messed up my local repo, and experienced people could not manage to undo it. i mean come on, this is a f**king versioning software, how hard can it be to delete everything local and re-pull from remote without messing up configuration files? either clearcase has some serious design shortcomings for my understanding of a versioning software, or it is so overly complicated that nobody actually knows how to revert this mistake.

Anyone knows if it is possible to do SOAP API with Javascript and bypass CORS, or work with it? if not **** this

This CORS is a huge bummer. It took me nearly 4 hours of pounding my head on keyboard trying to figure out why my "$http.post" doesn't work.

Explain to me why CORS isn't the dumbest thing I've ever heard of?

I can make requests from outside the browser but not from within? Hah?

In whatever framework I'm using I get frustrated with the default css so I just !important everything

trying to make a live usb disk. i took shots at random combinations from 2 usb sticks, 2 oses, different tools or technics on each os... each failed with a different outcome. then i realized i should have kept a failure matrix so that i don't try the same combinations, or can trace the roots of the problem.

each time i need to build a live disk, a part of me dies inside.

i want to find the person who proposed to force mtp in android for file transfers, and bash them in the head with a plush android toy till they're knocked unconscious.

all i want is to make a file transfer between my phone and my computer, and rather than plugging my phone's usb, i find it easier to set up an ftp server over local network. and when that doesn't work, i might as well hexdump the file, and copy it char-by-char manually, than use mtp.

Except COVID-19, Airport security is also scanning preflight requests and incoming traffic for CORS with its dated test kit (found this unused gem in an old PHP codebase):

Every couple of hours a certain request from our web app gets a CORS error from our server. Refresh the page and everything works perfectly. WTF...

Y is cors such a big issue 🤨 can't browsers just add a simple setting to enable or disable cors ? Atleast for local host, whats the rationale to have cors enabled 🙄

I wrote a NoCors Heroku App to pull out all the CORS hearders from a 3rd Party API to use in the one of the production site. Still no one knows about it.

We go together like CORS and cookies...said no one ever.

Use headers for Pete's sake!

For work i'll have to use an API whose server doesn't support OPTIONS-requests. All would be ok if the request wouldn't be made FROM A FUCKING BROWSER.
How old is CORS? Have you been living under a rock since then? (Well, maybe. Because they're using IIS7)

Why cross origin request is exist in this world 😢

i've been using debian with xfce for 2 years, and i'm now planning to migrate to arch with xmonad for some freshness. i'm reluctantly peeking out of my comfort zone and sniffing like a cat, any tips appreciated.

I've been trying to understand why my browser does not set the cookies I'm getting from my login api for the last 4 hours and I'm losing my mind, pls help. My frontend is a create-react-app on localhost:8888 and my api is a django rest framework on localhost:8000. I'm using fetch() for all the communication to the api

anybody else has a "polish notation fetish"? i never actually learned lisp, but since i first saw its style, i find writing functions like "+ 1 2" instead of "1 + 2" both aesthetically and functionally more appealing. i think the infix notation is just being kept because of well-established habits.

hey, so i have recently started learning about node js and express based backend development.

can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?

like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :

- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc

- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (

- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc

followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc

----

these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.

so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .

apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.

Is there any point in using cors without declaring the origin header?

I have just allowed '*' on the rack-cors host configuration. Yiiiiihhhhaaaaa.. no cors problems on Rails again.

But hackers will go fuck my api.