Mobile app version of vmapp.org
Login or Join
Carla537

: What's the point of cross-origin resource sharing if there's a bunch of CORS proxies running? I never really liked the direction CORS (cross-origin resource sharing) is taking. I think there's

@Carla537

Posted in: #CrossOrigin #Resources #Security #Webserver

I never really liked the direction CORS (cross-origin resource sharing) is taking. I think there's a misconception how client-server communication should work.

The general concept is:


User: Hello Server, I'm sending such request


Server supports request:
Server: Hello user, I'm sending my response to your request.
Server does not support request, REFERRER does not match etc:
Server: 400 - bad request



But, ok, let's say CORS is doing servers a favor by assuming 400 errors on certain attempts - such as getting user's profile information abusing the fact he's logged on. I think this is indeed good, but looks stupid the way it's now implemented:


Script wants to send request to different origin...
User: Hello Server, I want to send a request. What requests do you accept?


Server is aware of CORS:
Server: Hello user, I'm sending my CORS policies.
Browser decides to send or not to send...
Server is not aware of CORS:
Server: 404 - not found
Damn... I just wanted to fetch an image...



But why does CORS not just strip the cookies then? Often scripts want to fetch JSON, other scripts or images from different origin. In that case, they have to establish a server proxy. These proxies are quite popular.

This progress has quite complicated the server independence of web applications (which are now able to save files, parse files and so on).

So what's the point of blocking a GET request I can bypass over a proxy?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Carla537

1 Comments

Sorted by latest first Latest Oldest Best

 

@Reiling115

I'd say the the focus of CORS is making the web safer for final users and most of it implementation is in fact incapsulated in modern browsers.

What I mean is that it is not designed to only make your serverside content protected or unreachable, as you can always NOT send the referrer headers and bypass it. This is clearly not the case for "unconscious" web users who just want to happily browse the web without being worried about XSS attacks.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme