alt Hacker NewsA CORS protected endpoint tells YOUR BROWSER not to let YOU access its content if the website you’re browsing from is not whitelisted.
It’s confusing because unlike most security features, it’s meant to protect the users from themselves. The risk comes from a combination of users being allowed to visit malevolent sites and browsers letting all websites do a lot of random stuff, including making 3rd party requests with cookies and private stuff
Replies
user43928 • today at 7:49 AM
Isn't it arguably the opposite?
A CORS header in the response tells your browser to relax CORS restrictions.
IceDane • today at 9:12 AM
Like the sibling said: CORS is the relaxation of default security features. It's even in the name: Cross-Origin Resource Sharing.
➕ show 1 reply
> it’s meant to protect the users from themselves
This is false. It is meant to protect users from a confused-deputy attack made by malicious websites, where that website makes a request to a "serious" API but the user has never asked for, or approved, that request.
Blaming the user for everything that happens serves nobody.