DEV Community

Johannes Millan
Johannes Millan

Posted on

CORS is a waste of time – Change my mind!

After spending a considerable amount of time dealing with CORS issues throughout the years, I came to the conclusion that CORS does more harm than it does good, since it can be bypassed by a simple proxy most of the time. Change my mind!

Top comments (6)

Collapse
 
dwd profile image
Dave Cridland

The idea of CORS is this:

If I put a link (or a form, or some javascript) on another website, under my control, then I can cause your browser to hit an API you may have credentials on via session tokens or similar, and cause an effect under my control that you didn't intend, and may not even be aware of.

But, if CORS is in effect, then the browser will either check beforehand, or get rejected, because you're on my evil website, not the correct client web app.

So it's not protecting the API from the attacker, which you appear to be concerned about - that could indeed be bypassed trivally with a proxy or just the right headers set on curl. It's protecting the end-user from malicious third-party websites.

Collapse
 
astr0sl0th profile image
Joe Hill

Skill issue perhaps?

Collapse
 
webjose profile image
José Pablo Ramírez Vargas • Edited

Agreed. CORS is a security feature that exists in browsers, but doesn't prevent data theft: Use Postman, that doesn't implement CORS and you'll see (if you don't believe me).

UPDATE

Maybe CORS is useful to prevent malicious software. That's about it. For example, CORS assists in the enablement of SharedArrayBuffer.

My agreement still stands for everything else.

Collapse
 
peiche profile image
Paul

L take my dude

Collapse
 
xwero profile image
david duymelinck

What is the harm you mention? Time to set up the different environments? Tests failing?

Once there is a good development setup, I don't see no harm?

Collapse
 
sirzarganwar profile image
Martin Jirasek

Sure, you can proxy but better little trust of request source than nothing.
What's hard on implementing?