Date:

Share:

Don’t Snore on CORS | CSS-Tricks

Related Articles

Whatever it was, I just needed a title. Everyone’s favorite internet security feature has crossed my desk a few times recently and I always feel like it’s a sign that I need to write something because that’s what blogging is.

The main problem with CORS is this Developers do not understand CORS. The basic idea of ‚Äč‚Äčthis should be easy: Do not run code across sources. I.e. if I, b css-tricks.com, Try to fetch Some JavaScript from an external URL, like any-other-website.com, The browser will simply stop it by default. You will see a console error. Unauthorized.

Unless, that is, the other site sends a title Which allows this specifically. My domain can be in the permission list or there can be a generic character that allows it. There are many more details here (like pre-inspection and approvals) and as always, MDN article Does a good job on this front.

What have traditionally been moments of hair pulling for me are when CORS seems to be behaving inconsistently. Two requests will pass and the third will fail, which seems inexplicable, but could have been recovered. (Maybe load balancing was involved with semi-stored headings? Who knows.) Or I’m trying to use Proxy And the proxy stops working. I do not even remember all the examples, but I bet I have been to meetings and tried to debug CORS issues more than 100 times in my life.

Anyway, the times CORS crossed my desk recently:

  • This video, Learn CORS in 6 minutes, Has 10,000 likes and seems to have managed to influence people. This is not ironic npm install cors Was the solution here.
  • You need to literally tell the servers that they have the right titles. So, similar to the video above, I had to do it on Video on Cloudflare Workers, Where I used a cross source (but you are not there is to, which is actually a very cool feature of Cloudflare Workers).
  • Jake’s article “How to win at CORS” Which includes a Playground.
  • There are browser extensions (like those of Firefox and chromium) It pulls for you the headlines of CORS, which feels like a dubious solution, but I would not blame anyone for using the development.
  • I wrote about how easy it is to perform a proxy … anything, including a third-party JavaScript file and make it first-party. Many people have noted in comments that doing this completely removes the protection you get from CORS, which is danger-danger. Agree, unless you control 100% on this third side, it’s pretty dangerous.

Source

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Popular Articles