Why don't all browsers, desktop and mobile, just block all cross-origin access t...

easterncalculus · 2025-06-03T17:24:01 1748971441

For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.

There probably are some legitimate uses, but I'm straining to come up with them.

arunkant · 2025-06-03T19:22:46 1748978566

Maybe just ask for confirmation

dwaite · 2025-06-04T08:00:11 1749024011

There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon)

chedabob · 2025-06-03T19:40:10 1748979610

I thought they did for resources and JS, which is why Meta have to use WebRTC instead?

I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?