Hacker News new | past | comments | ask | show | jobs | submit login

I don't know CORS that well, but like any dev worth their weight in salt I know how to get around it:

- iframe - domain js hack - reverse proxy - http header

What else? Referrer Policies await.

I agree, the only thing I have ever found with CORS is that it makes it difficult for people who don't consider it when planning out servers should run. It goes like this:

- Just use my API...

- I tried, please enable CORS.

- What's CORS?

I find it frustrating that this seems to be the default for most servers. I think it should be opt in and not opt out.

In order to make it opt-in you’d need to disable cookies by default (at least for auth) or else you get massive pwnage by default.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact