Hacker News new | past | comments | ask | show | jobs | submit login

> By default, under the same origin policy, a browser won't allow requests cross origin.

Save a rather short-but-impactful list of exceptions.

> CORS is a mechanism to loosen security, not increase it.

Would that everyone shared your understanding.

Add in these two insights to those we are enlightening:

* CORS is enforced by the browser, so no, your curl command working doesn't say your service is fine

* That error message in the browser about 'no-cors'? It is 99% likely that no-cors is NOT what you want, so the error message is just misleading and unhelpful

...and you'll have covered my CORS wishlist :)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact