
Why can't Cross-Origin request not share cookies instead of denying the request? - thatsnotmepls
I&#x27;m working on a simple SPA website that consumes a REST API from another website. Because this site doesn&#x27;t have a policy to allow CORS requests, I need to use a proxy, however, the company I work for blocks most of them, the ones I found to work have a limit on the number of requests which is a bummer, and I didn&#x27;t want to host my own as this should&#x27;ve just a simple frontend app.<p>I understand why CORS policies are needed, you can&#x27;t simply share cookies with everyone that sends a request from your browser to a given host.<p>However, instead of completely blocking the request, why can&#x27;t browsers simply don&#x27;t share such cookies and other info in those cases where CORS applies? (which is the result I get if I send this request from a backend).
======
blintz
In principle, I think that all or almost all CSRF could be prevented with just
‘samesite’ cookies and careful engineering.

In practice, the same origin policy is a very good ‘safe default’ for the long
tail of sited that for whatever reason don’t have proper CSRF mitigation set
up.

In a broader sense, CORS also lets sites owner ‘forbid’ requests from any
JavaScript that they don’t control, which allows them to narrow the scope of
possible attack vectors.

I’m sure this is an incomplete answer though; I’m curious what other people
think.

