
Ask HN: Why is CORS the way it is? - anderspitman
I understand the problem CORS is trying to solve, but I don&#x27;t really understand the implementation. The main problem for me is the decreased performance as a result of preflight requests. In order to avoid them, as far as I know you have to resort to hacky solutions like tunneling everything through POST requests with mime type text&#x2F;plain, or using query params like ?delete=true. These solutions are easy to implement, but hacky and dangerous.<p>Since it&#x27;s so easy for developers to circumvent, why did browser vendors force this solution on everyone, rather than leaving cross-origin security up to developers, or at least making CORS opt-in?<p>What am I missing here?
======
evnix
Send cache headers in the preflight response so the browser doesn't keep
requesting it.

> Since it's so easy for developers to circumvent But not for hackers trying
> to inject JS into insecure webpages.

But I do get your point, there should have been a better implementation, I
have the same complaint against HTTPS (makes development unnecessarily
complicated).

