undefined | Better HN

0 pointsd--b4d ago0 comments

A CORS protected endpoint tells YOUR BROWSER not to let YOU access its content if the website you’re browsing from is not whitelisted.

It’s confusing because unlike most security features, it’s meant to protect the users from themselves. The risk comes from a combination of users being allowed to visit malevolent sites and browsers letting all websites do a lot of random stuff, including making 3rd party requests with cookies and private stuff

0 comments

4 comments · 3 top-level

IceDane4d ago· 1 in thread

Like the sibling said: CORS is the relaxation of default security features. It's even in the name: Cross-Origin Resource Sharing.

koolala4d ago

'No Sharing' is a policy on sharing. Being literal about the name misses their point.

moring4d ago

> it’s meant to protect the users from themselves

This is false. It is meant to protect users from a confused-deputy attack made by malicious websites, where that website makes a request to a "serious" API but the user has never asked for, or approved, that request.

Blaming the user for everything that happens serves nobody.

user439284d ago

Isn't it arguably the opposite?

A CORS header in the response tells your browser to relax CORS restrictions.

j / k navigate · click thread line to collapse