So, yet another "senior" web developer employed by my contractor who utterly fails to understand CORS.

I mean, easy enough to config their servers to provide the headers. A good and quick buck.

But I swear the level of idiocy I find in so called "seniors" infuriates me. I swear, he didn't even figure out that

A) you can't make the browser omit the Origin header.
(But it works on curl 😭😭😭)

B) it's the *server* who must include access-control-allow-origin in the response, not you in the request. Like, what use would that be? I don't even...


I guess if I ever need to hire web devs again my only question during the interview will be "explain CORS to me".

  • 4
    Oh and CSP
  • 0

    Thank Satan they didn't bloody try to use CSP...
  • 0
    I like that interview question, you'll never employ anyone ever again xD
  • 0
    The saddest part is I'm not even a web developer...
  • 1
    I feel you, every single time it's "it works in postman" (curl and cli in general is too advanced for my seniors)
  • 0
    I don’t know what to tell you, but it took me 10-15 hours to figure this out back then. Maybe I was very slow 😅
  • 0
    Actually omitting the origin header with the browser(if possible) is a security threat, a big one bro!!!

    And taking CORS lightly can bring your system/page down or even worse, be careful when thinking about this.

    You are complaining about the tree, you need to consider the forest
  • 0

    Did you even read the rant?

    I'm not complaining about CORS...
Add Comment