Why can't Cross-Origin request not share cookies instead of denying the request?

2 pointsthatsnotmepls6y ago1 comments

I'm working on a simple SPA website that consumes a REST API from another website. Because this site doesn't have a policy to allow CORS requests, I need to use a proxy, however, the company I work for blocks most of them, the ones I found to work have a limit on the number of requests which is a bummer, and I didn't want to host my own as this should've just a simple frontend app.

I understand why CORS policies are needed, you can't simply share cookies with everyone that sends a request from your browser to a given host.

However, instead of completely blocking the request, why can't browsers simply don't share such cookies and other info in those cases where CORS applies? (which is the result I get if I send this request from a backend).

1 comments

1 comments · 1 top-level

blintz6y ago

In principle, I think that all or almost all CSRF could be prevented with just ‘samesite’ cookies and careful engineering.

In practice, the same origin policy is a very good ‘safe default’ for the long tail of sited that for whatever reason don’t have proper CSRF mitigation set up.

In a broader sense, CORS also lets sites owner ‘forbid’ requests from any JavaScript that they don’t control, which allows them to narrow the scope of possible attack vectors.

I’m sure this is an incomplete answer though; I’m curious what other people think.

j / k navigate · click thread line to collapse