undefined | Better HN

0 pointssomat5d ago0 comments

It's me, CORS was the stupidest thing I encountered in a long line of stupid when trying to put together a simple web app for the first time.

"So let me get this straight. We tell the client whether the application we gave them can or cannot make requests to our servers. And none of this actually prevents the client from making the requests if they want to?... Pull the other one it has bells on."

It took a good sleep and a long shower to under stand it. "Oh... it is for if I want to do a self injection attack and allow random untrusted malicious code in my application. In other words, ads"

Basically the threat model is inverted from any other threat model, that is why it looks so stupid. CORS is threat model used for when you can't trust your self.

0 comments

3 comments · 3 top-level

gf0005d ago

Well, it's easy to "not trust yourself" when you have user-submittable content that you display for other users. Sure, one should absolutely sanitize it, but layered security is important.

throwaway73565d ago

> CORS is threat model used for when you can't trust your self.

No. But many lack basic understanding of web technologies or facts like that a browser can be used to access more than a single site. This leads to not understanding what problems cross-site requests can cause and thus the impossibility of understanding what CORS is for.

sciencejerk5d ago

Eh, or maybe you landed on a malicious site or clicked on a malicious phishing link which opened your browser

j / k navigate · click thread line to collapse