Developers don't understand CORS (2019)

Posted by toilet 11 hours ago

Developers don't understand CORS (2019)(fosterelli.co)

226 points | 138 commentspage 3

stephbook 8 hours ago|

I still don't understand the threat model and, obviously, it's not explained here either.

I log in to social.net. I click on scam.org and change sites. I'm on scam.org and it triggers a request to social.net/friends.

No cookies are sent, no JWT. I'm not logged in and get a "Needs login" HTTP error. Nothing bad happens.

I thought that's how it works without CORS already.

rswail 4 minutes ago||

CORS relaxes the rules about what requests the browser can make.

The server doesn't get to stop the browser making calls that it didn't want, so it's a browser security feature, to stop the browser sending cookies where it shouldn't, or more precisely, to only send authentication and other info where it should.

It relaxes the same origin policy.

Usually a browser will not load resources from another origin based on the HTML it receives. If the page is from example.com, it won't allow you to load a page from example.org.

That stops things like authentication and cookies etc from example.com being transmitted to example.org if someone hacks the webpage.

CORS allows the server to relax those rules so that it can say "You can load resources from me, or from these other servers."

So it can say "I'm example.com but you can load resources from example.org and that's OK."

At least, that's how I think it works :)

abraham 8 hours ago|||

By default cookies are sent for cross-origin requests. The SameSite cookie flag that lets sites control this was only shipped in Safari the year before this blog post was written so it would have been hard to depend on it yet.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Coo...

inigyou 4 hours ago|||

Your cookies are sent.

koolala 3 hours ago||

Then why wasn't credentialless a simple fix to solve that. Not sending cookies isn't hard.

inigyou 2 hours ago||

Because that would break things. You couldn't stay logged into HN without cookies. Cookies aren't just for credentials, imagine hotlinking to an image and getting a different language version because your language cookie wasn't sent.

koolala 1 hour ago||

I thought we were talking about cross origin requests. I've not encountered content worth hotlinking that can't work on first load without cookies. That seems like a slim hypothetical that doesn't justify banning the ability entirely. You don't attach cookies just to wget something from a server.

teaearlgraycold 8 hours ago||

Cookies will be sent if SameSite=None. Because a lot of the web's security features were implemented well after the tech was popular it's a patch-work with lots of overlap.

piterrro 8 hours ago||

Wait, isnt it implemented because of the sheer number of broswers that could be used at the Zoom’s scale? They could’ve used jsonp too it they wanted to bypass CORS. Using image with different dimensions sounds like the most bulletproof way across multiple devices/OSes/browsers

theginger 3 hours ago||

Cors is hard to understand because the browser is protecting you and the server from malicious code that the developers are not expecting to be there. Its a hypothetical threat you cannot see during development unless you really go out of your way. If you can't see the threat it's hard to understand it, it you don't understand the threat it's hard to understand the protection against it.

Its one of those situations where you need to think like an attacker to see the whole picture.

karol 3 hours ago||

CORS, CSRF and CSP get the job done;)

drchaim 4 hours ago||

I understand CORS each time I need to fix or to avoid them ;)

threethirtytwo 2 hours ago||

AI understands CORs. So that's something AI does better than developers.

deathanatos 10 hours ago||

Generally when I'm debugging these, I need/want to know what was the preflight (if applicable), and was the preflight what was expected? When I help others debug these, generally I find there is little expectation of what the preflight "should" be, and instead just a bunch of stochastic attempts to adjust the server's response headers to get the browser to capitulate — regardless of whether that makes any sense at all.

I would also say I think Firefox's network inspector is better in this area. (But I'm often having to ask others to "no, don't send the failing request, send the CORS preflight", we need to understand what happened with it.)

> Anecdotally, lots of developers I’ve talked with don’t understand well how CORS works.

Yeah, most FE devs I've worked with seem to not understand CORS.

> Is the CORS API too complex and confusing

I think it can be hard if you don't understand why the exceptions to preflights are what they are, but the moment you internalize "because the browser can already emit that request in other cases" then it becomes obvious what categories are what & why.

foundart 8 hours ago||

Correct. Where are some good explanations?

robertclaus 9 hours ago||

I bet there's an awful lot of servers out there that will happily take CORS requests from any host because someone didn't understand why their second domain couldn't talk to the same API.

ivanjermakov 5 hours ago||

Sometimes it's a good thing when I try to use someone else's backend in my web app. For example map tile server or route builder, which are session-less and have no authentication.

The idea that HTTP servers are restricted to requests from a single domain by default is strange, wonder if CORS world be better off opt-in rather than opt-out.

kaoD 3 hours ago||

> wonder if CORS world be better off opt-in rather than opt-out.

It's necessary that the defaults are secure. More so, not less, if the problem is hard.

ChadNauseam 8 hours ago||

That describes pretty much every server I've ever written lol.

ottoflux 8 hours ago|

the amount of code i've seen either allowing * when it shouldn't because someone was desperately trying to make their code work is astounding.

contractors, "specialists", etc. who never took the time to read how CORS works and how simply you can handle a list of allowable sites, etc.

it's only complicated until you take the 5-10 minutes to properly understand what happens where. if you don't know, go do it now.

bornfreddy 7 hours ago||

5-10 minutes? I'm sold. Any link you can share?

I'm saying this as someone who has learned about CORS protections many times, implemented the solutions with care they deserved, but forgot most of it soon after - each time. So I'd be very happy to invest even 15 minutes to break this cycle.

oofbey 7 hours ago||

As somebody who has spent a lot more than 10 minutes trying to figure out why CORS was blocking what seemed legitimate, I sympathize with people doing the wrong thing, and disagree with your assertion that it’s not that complicated. Maybe I’m just slow. But objectively I know I’m not.

N_Lens 7 hours ago||

“Objectively”

More comments...