logoalt Hacker News

Developers don't understand CORS (2019)

312 pointsby toilettoday at 1:35 AM246 commentsview on HN

Comments

ankitraj1224today at 1:01 PM

[flagged]

formit34today at 8:06 AM

[dead]

tsouth2today at 12:17 PM

[dead]

Tanxsinxlnxtoday at 7:32 AM

[dead]

rfmoztoday at 5:21 AM

[dead]

vladsiutoday at 7:25 AM

[dead]

imparatoday at 10:05 AM

[flagged]

OffBeatDevtoday at 4:38 AM

[flagged]

utopiahtoday at 8:47 AM

I definitely understand CORS in theory, then when it's time to solve a CORS related error, anything goes. /s

mock-possumtoday at 3:12 AM

I honestly just can’t be arsed. I write the code to do the thing I want, and if CORS throws a wrench into things, I make Claude fix it for me. I’m tired boss.

show 3 replies
iririririrtoday at 3:42 AM

everything browser is about still allowing The Bad Thing Ad Companies need.

cors et al is a freaking mess because those things are designed by a comitee choke full of people who last promotion was their cool idea about how to monetize referrer, or how do cookie match across domains, or profile you with millisecond it takes to list your usb audio devices, or etc etc etc

somattoday at 6:25 AM

It's me, CORS was the stupidest thing I encountered in a long line of stupid when trying to put together a simple web app for the first time.

"So let me get this straight. We tell the client whether the application we gave them can or cannot make requests to our servers. And none of this actually prevents the client from making the requests if they want to?... Pull the other one it has bells on."

It took a good sleep and a long shower to under stand it. "Oh... it is for if I want to do a self injection attack and allow random untrusted malicious code in my application. In other words, ads"

Basically the threat model is inverted from any other threat model, that is why it looks so stupid. CORS is threat model used for when you can't trust your self.

show 3 replies
koolalatoday at 4:08 AM

CORS sucks since Cross-Origin-Embedder-Policy: credentialless was never made standard across all browsers. It's a browser client restriction you can't turn off. If you want to do anything interesting with WWW content you have to run your own browser or run an out-of-box one off a proxy server that breaks everything.

show 1 reply
rishabhpoddartoday at 6:16 AM

I agree that CORS is hard to understand and fix. I was the CTO at an auth company and SO many of our users used to run into various CORS issues and asked questions on our support. However, I'd now argue that developers don't need to understand CORS anymore.. cause claude / gpt does! Just throw in the error in claude code / codex and it would fix it.

show 3 replies