I've been wondering about the necessity of CORS (Cross-Origin Resource Sharing). If its main purpose is just to prevent authenticated requests from different origins, why was it established in the first place? If cookies are sent only with same-site requests, wouldn't that solve the issue? I'm not sure if this is just legacy baggage or if there's a deeper reason I'm missing. I understand that CORS blocks cross-origin requests to protect against CSRF (Cross-Site Request Forgery), but could it be more effective to allow these requests without sending along cookies or session tokens? This way, it feels like there could be a simpler method, akin to using curl for self-authenticated API endpoints.
4 Answers
People often mix up CORS with SOP. SOP is the original security principle that prevents a site from accessing resources from another site. CORS was introduced later to allow servers to specify which origins can access their resources. It's important because, without it, you'd have a lot more data breaches due to scripts on malicious websites accessing user data without permission.
Oh, I misunderstood that too! I thought browsers automatically blocked cookies from cross-origin requests by default.
CORS isn't really about authentication but is more a mechanism that forces servers to allow cross-origin requests if they want to. It ensures that other sites can't hijack your session data. While some browsers enforce the Same-Origin Policy (SOP), CORS allows a way to bypass that restriction when it's explicitly permitted by the server. So, it’s somewhat essential for web security.
I see what you're saying. If browsers didn't enforce this, any new browser could expose server responses, right? That seems risky!
Why is CORS not allowed on localhost by default, though? Seems odd!
CORS lets you open up data sharing safely. For example, if your app needs to pull in data from a different domain, CORS is a way for that domain to say, 'It’s okay, you can use my data.' This helps prevent data leaks that could occur from poor implementations.
Kind of a bummer that CORS is necessary, right? But totally get its importance.
So what you’re saying is that CORS protects us from potentially malicious sites?
CORS doesn’t block requests per se, but it’s a safety measure because it prevents potential abuse from cross-origin requests. For instance, without CORS, a site could use your credentials to make requests and manipulate your account on another site. It gives you the ability to explicitly tell the browser which domains you're okay with sharing data with.
But couldn't those malicious sites just use proxies to get around CORS?
CORS is indeed crucial for user security on the web. Would be chaos without it!
Thank you! That really clarifies it for me.