4

I don't care about CORS, I really don't. Could it possibly be any more inconvenient and time consuming? I really don't think it could.

It's made on the assumption that everything you are doing has the same security needs as a secret military project, splendid.

Comments
  • 3
    It has its role and good reasons for being.

    But it is a bitch when developing sometimes.
  • 11
    Sure ! Let ANY (Literally ANY) website to delete your devrant Account by calling API with your pre-stored credentials. While browsing completely different (scam) website.

    Yep, CORS is useless, for sure !!

    Let’s call a POST API on your banking service from ANY web site in the world.

    It’s not “<military” security, it’s the basic need. If you can’t see it and you are working with WEB projects, you should be fired.
  • 6
    That's why browsers implement that - to make devs care who wouldn't.
  • 1
    @jespersh not exting, I wanted to test my system security :(
  • 4
    CORS devs hate this one little trick.

    Accept: */*
  • 0
    @jespersh lol, improper CORS won't leak cookie data. Obviously you don't understand CORS. Don't worry, almost nobody does, the design is the problem.
  • 1
    Hackers will love you for this
  • 0
    @Fast-Nop wait, you claim it's intentionally made to be difficult so it gets properly done? Is that how humans work? The more difficult the thing, the more people succeed?

    Fascinating....
  • 1
    @theabbie oh nonsense. some things are benign and there's nothing to hack yet it constantly breaks because in this instance, some dumb plugin misconfigured Access-Control-Expose-Headers causing a UTF-8 document to be interpreted as ASCII causing a parsing error with internationalisation on some pages on some browsers on some machines.

    It was so easy to find, such a devious security loophole! Can't leak our precious "charset=utf8" Give me a break.
  • 4
    @kristopolous It's there because if "just share everything with every origin lol" were an option, too many devs would do exactly that.
  • 1
    @kristopolous CORS is only not bad when cookies are not involved, like some public API, CORS on website which uses cookies will allow anyone to perform actions on behalf of currently logged in user, that does sound like a loophole.

    Also, how difficult is it to set 2 headers? Use some library if you're too lazy for even that.
  • 3
    @kristopolous it's not that improperly configured CORS will expose your cookies or data.

    Imagine your JWT has been compromised though a MITM. Now that bad actor can make calls with your token without you knowing.

    With properly configured CORS, the MITM will have a difficult time making calls back to your service because their domain origin will be different.

    Your client makes calls while on the "eatdicks.com" domain while the attacker can only make calls from their fake clone which is on the domain of "eatdlcks.com".

    CORS is also influential in limiting a pubic API access only from approved domains.
  • 0
    @Fast-Nop And, what's the problem? Let people shoot themselves in the foot and stop being a hall monitor finger-wagging everyone from some high horse. The dominant developer attitude has somehow become to design systems as a tutelary babysitter presuming every other programmer needs to be chaperoned around like they're oblivious barely cognizant drooling morons.

    When you design for the ignorant you disempower the competent. Fuck that.
  • 0
    @sariel duh, it's not some profound insight. That's brazenly obvious. What if you're doing something irrelevant, say puling down a quiz on which celebrity is the cutest to display in a SPA ... who cares in this case if your Access-Control-Max-Age is set wrong? It's just irrelevant.
  • 7
    @kristopolous The competent ones just implement that. The incompetent ones are effectively stopped. Sounds like a winning strategy.
  • 1
    What happened to CSRF-token?
  • 0
    @Fast-Nop that's assuming infinite time and resources. Permit people to make the decision to not care. We don't need child safety locks on every technology.
  • 5
    @kristopolous Given the sad state of the average website, the average web dev is an incompetent moron anyway. That wouldn't even be that bad if the fallout were not, in the end, with the users.

    That's why it's good that these morons can't just do anything - in particular because the required extra time hits everyone equally.
  • 0
    @Fast-Nop you're honestly arguing for the necessity to create artificial barriers to success because you feel developers don't have enough to do and the chance of a product's success is too high?

    I'm so glad I'm leaving the industry after 25 years. Ya'll are bonkers.
  • 5
    @kristopolous These are not "artificial barriers". These are "enforcing a minimum of professionalism". If that forces people out of the industry, these are no loss. Maybe they can go and flip burgers or so.
  • 6
    If you don't care about CORS, you are part of the problem it has been created to stop.

    But don't worry - you can still switch to human resources or marketing...
  • 1
    @kristopolous for the amount of time it's taken you to bemoan CORS you could have properly configured it.

    I think your problem might be you haven't been forced into using it before now.

    We all have to deal with it. Yes it's shitty, and yes it's a requirement.
  • 1
    There's another use for CORS that hasnt been mentioned yet: preventing people from using certain apis from the browser. Imagine for a second that somebody decided to send a payment request for a product to their payment processor from the browser. If allowed to somebody somewhere will do that very thing. FYI the only remotely semi-secure way to do that is if the endpoint is authenticated via a one time use token of some sort. But even then its plausibly manipulatable by tweaking things to block the api call to the payment processor and then using the token that call would have used to authenticate with a goddamn payment gateway.
  • 0
    This site isn't "devrant" it's more like deal with a bunch of snotty nosed egotistical amateur hacks. You people are all garbage frauds.
  • 2
    @kristopolous The only amateur garbage fraud hack here is you because you fail to even understand the basics of your trade.

    However, you leaving the industry raises its average competence level, so that's something.
  • 2
    @kristopolous of course, because it's the whole community that's wrong!

    Not you though, no way! You're the best dev there ever was!

    If you can't tell, that was sarcasm.👆

    I can't attest to your skills, but if your temperament is any indicator I would say the dev community is better without you, even if you write perfect code.
  • 0
    @Fast-Nop your doctrinal orthodoxy and dogmatic adherence and absolutist stances along with a disparaging of others in any other context would be red flags for something, and it's not related to anything good.
  • 0
    @sariel questioning things is a disruptive act. All systems run smoother when people are lapdogs and conformists. Until they collapse.
  • 0
    @kristopolous I could accept that, but you never questioned it.
  • 1
    @kristopolous It's indicative of a senior dev whose job it is, among other things, to keep juniors from fucking up shit.
Add Comment