Hacker News new | past | comments | ask | show | jobs | submit login

Hmmm.... never thought about this but now thinking about it... does anyone need CORS? Can server-enforced access controls on "Origin" substitute for CORS in all cases?

If you need access to the users data on another service, without having their credentials on the other service, CORS is the correct choice.

> Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.


The server responsibility of CORS is also about making sure the browser accepts the cross origin request (in case it's a valid origin). If it won't send the correct headers back, the browser will drop the request

Yes, the server can drop the request or return an error, but that's just half of it. If it wants the browser to accept the request, it has to explicitly say it by using the CORS headers.

Ah, right. But why not have browsers allow cross-origin requests, but let an individual server just deny it based on origin header?

I guess because we don't trust servers to do that, we need "don't allow by default, let the server opt-in" instead of "allow it by default, let the server opt-out", because too many servers would not opt out.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact