Techly NewsGet the app

Get the latest tech news

CORS Is Stupid


Posted CORS, and the browser’s same-origin policy are often misunderstood. I’m going to explain what they are and what you need to do to stop worrying about them.

Warning: There is no combination of Access-Control-Allow-* headers that you can set that solves simple requests, they are made before any policy is checked. You can use SameSite=Strict which avoids this, but will make the user appear logged out for the first page load after following a cross-origin link (as that request will lack cookies). This ensures that other origins can’t make authenticated requests except via an explicit flow such as attaching an Authorization header.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of CORS

CORS

« NLRB says Amazon is a joint employer of some 3rd-party delivery drivers in California
Hydrogen-Powered Air Taxi Breaks Record With Longest Flight Without Emissions »