Developers don't understand CORS (2019)

Posted by toilet 16 hours ago

Developers don't understand CORS (2019)(fosterelli.co)

283 points | 224 commentspage 6

rfmoz 12 hours ago|

[dead]

impara 7 hours ago||

[flagged]

OffBeatDev 13 hours ago||

[flagged]

utopiah 9 hours ago||

I definitely understand CORS in theory, then when it's time to solve a CORS related error, anything goes. /s

mock-possum 14 hours ago||

I honestly just can’t be arsed. I write the code to do the thing I want, and if CORS throws a wrench into things, I make Claude fix it for me. I’m tired boss.

postsantum 13 hours ago||

Good for you. It's the responsibility of the boss to hire someone to type "claude pls check if prorgam not safe"

throwaway7356 10 hours ago|||

Yes, many developers give nothing about even basic security.

That's why we still have every basic security issue like hardcoded passwords, SQL or other injections, XSRF and so on repeated on an endless loop. Even if they are trivial to avoid.

trick-or-treat 10 hours ago||

, claude fixes it by doing insecure shit, your secrets end up exposed, you end up running a $10,000 api bill, you wonder how you got there.

iririririr 14 hours ago||

everything browser is about still allowing The Bad Thing Ad Companies need.

cors et al is a freaking mess because those things are designed by a comitee choke full of people who last promotion was their cool idea about how to monetize referrer, or how do cookie match across domains, or profile you with millisecond it takes to list your usb audio devices, or etc etc etc

somat 11 hours ago||

It's me, CORS was the stupidest thing I encountered in a long line of stupid when trying to put together a simple web app for the first time.

"So let me get this straight. We tell the client whether the application we gave them can or cannot make requests to our servers. And none of this actually prevents the client from making the requests if they want to?... Pull the other one it has bells on."

It took a good sleep and a long shower to under stand it. "Oh... it is for if I want to do a self injection attack and allow random untrusted malicious code in my application. In other words, ads"

Basically the threat model is inverted from any other threat model, that is why it looks so stupid. CORS is threat model used for when you can't trust your self.

gf000 11 hours ago||

Well, it's easy to "not trust yourself" when you have user-submittable content that you display for other users. Sure, one should absolutely sanitize it, but layered security is important.

throwaway7356 10 hours ago|||

> CORS is threat model used for when you can't trust your self.

No. But many lack basic understanding of web technologies or facts like that a browser can be used to access more than a single site. This leads to not understanding what problems cross-site requests can cause and thus the impossibility of understanding what CORS is for.

sciencejerk 11 hours ago||

Eh, or maybe you landed on a malicious site or clicked on a malicious phishing link which opened your browser

koolala 13 hours ago||

CORS sucks since Cross-Origin-Embedder-Policy: credentialless was never made standard across all browsers. It's a browser client restriction you can't turn off. If you want to do anything interesting with WWW content you have to run your own browser or run an out-of-box one off a proxy server that breaks everything.

9dev 9 hours ago|

> If you want to do anything interesting […] you have to run your own browser

This is usually a sign you don't really understand what you're doing.

koolala 8 hours ago||

Its not? Remember the 90s? There was a beautiful time before CORS and DRM in the browser. Browsers used to be something that actually cared about allowing full client control.

9dev 8 hours ago|||

But it isn't the 90s anymore. Billions of people are using the internet, doing everything from voting to shopping to managing their stock portfolio. There are valid reasons why we have security protocols.

And aside from that - it's not like CORS is preventing you from anything. The only requirement is to read up on it, understand it, and configure your web server accordingly. If you're unable to do that, or you'd rather create your own browser, then the only conclusion I can draw is that you're either unwilling or unable to take proper care of the security of your users.

koolala 8 hours ago||

I don't care about my server. It has everything to do with what it is preventing my browser client from doing. The whole point is using content from the whole web not my server.

9dev 7 hours ago||

You can do whatever you want with your browser client. You just cannot create a website that will make the browser clients of other people send authenticated requests from JavaScript to my site if I don’t want that.

koolala 6 hours ago||

Who said anything about authentication? The only freedom I want is being able to wget content no differently than from a terminal. You need a modded custom browser to do that.

9dev 4 hours ago||

> Who said anything about authentication?

That's the thing. If you're logged in to good.com (with a session cookie), then go to evil.com and it has an AJAX call to good.com, it'll carry your cookie. Thus - authentication. Suddenly evil.com can remote control good.com. (at least it used to be this way at the time we got CORS; the situation has changed a bit with newer web platform features like SameSite cookie params.)

> The only freedom I want is being able to wget content no differently than from a terminal.

I see your point, I really do. But the Venn diagram overlap of "sites that need to download arbitrary websites", "sites that need to only fetch content client-side in the browser, not via their backend", and "sites that do this for non-nefarious purposes" is infinitesimally small. I'm pretty sure your use case is missing at least one of these three criteria.

koolala 2 hours ago||

You don't have to send cookies. Thats the entire point of credentialless. The option to be able not to do this is trivial yet everyone is so fixed on it being mandatory when its the entire problem. Forcing cookies on people is not a good thing.

rishabhpoddar 11 hours ago|

I agree that CORS is hard to understand and fix. I was the CTO at an auth company and SO many of our users used to run into various CORS issues and asked questions on our support. However, I'd now argue that developers don't need to understand CORS anymore.. cause claude / gpt does! Just throw in the error in claude code / codex and it would fix it.

stephantul 11 hours ago||

The second part of this comment is not what I expected. I also don’t think it is true. I got bit by a CORS error at work recently that passed by Claude, copilot, and another senior engineer.

gum_wobble 11 hours ago|||

> developers don’t need to understand X … cause claude does!

…………………

sourcecodeplz 11 hours ago||

damn where are we heading?

9dev 9 hours ago||

It's astounding how willingly people give up their agency. Dystopic sci-fi novels turn out to be bogus, because nobody will rebel against the machines if it prints funny progress indicator words to the terminal

Ekaros 7 hours ago||

I am actually starting to believe that those stories where everything was offloaded to AI will come true. And not enough people will actually care even when pointed out... They haven't done much wrong this far...