After spending a considerable amount of time dealing with CORS issues throughout the years, I came to the conclusion that CORS does more harm than it does good, since it can be bypassed by a simple proxy most of the time. Change my mind!
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (6)
The idea of CORS is this:
If I put a link (or a form, or some javascript) on another website, under my control, then I can cause your browser to hit an API you may have credentials on via session tokens or similar, and cause an effect under my control that you didn't intend, and may not even be aware of.
But, if CORS is in effect, then the browser will either check beforehand, or get rejected, because you're on my evil website, not the correct client web app.
So it's not protecting the API from the attacker, which you appear to be concerned about - that could indeed be bypassed trivally with a proxy or just the right headers set on curl. It's protecting the end-user from malicious third-party websites.
Skill issue perhaps?
Agreed. CORS is a security feature that exists in browsers, but doesn't prevent data theft: Use Postman, that doesn't implement CORS and you'll see (if you don't believe me).
UPDATE
Maybe CORS is useful to prevent malicious software. That's about it. For example, CORS assists in the enablement of
SharedArrayBuffer
.My agreement still stands for everything else.
L take my dude
What is the harm you mention? Time to set up the different environments? Tests failing?
Once there is a good development setup, I don't see no harm?
Sure, you can proxy but better little trust of request source than nothing.
What's hard on implementing?