DEV Community

Johannes Millan
Johannes Millan

Posted on

3 1 2 1 1

CORS is a waste of time – Change my mind!

After spending a considerable amount of time dealing with CORS issues throughout the years, I came to the conclusion that CORS does more harm than it does good, since it can be bypassed by a simple proxy most of the time. Change my mind!

Top comments (8)

Collapse
 
dwd profile image
Dave Cridland

The idea of CORS is this:

If I put a link (or a form, or some javascript) on another website, under my control, then I can cause your browser to hit an API you may have credentials on via session tokens or similar, and cause an effect under my control that you didn't intend, and may not even be aware of.

But, if CORS is in effect, then the browser will either check beforehand, or get rejected, because you're on my evil website, not the correct client web app.

So it's not protecting the API from the attacker, which you appear to be concerned about - that could indeed be bypassed trivally with a proxy or just the right headers set on curl. It's protecting the end-user from malicious third-party websites.

Collapse
 
jankapunkt profile image
Jan Küster 🔥 • Edited

This applies especially when you have social websites where users are allowed to create and embed custom content, such as dev.to 🤪

This is why many sites simply positive-list only allowed embeds or strip iframe or other included entirely.

However, on your dev journey it's good to learn CORS because there will be the day where you will have to deal with it.

Collapse
 
astr0sl0th profile image
Joe Hill

Skill issue perhaps?

Collapse
 
webjose profile image
José Pablo Ramírez Vargas • Edited

Agreed. CORS is a security feature that exists in browsers, but doesn't prevent data theft: Use Postman, that doesn't implement CORS and you'll see (if you don't believe me).

UPDATE

Maybe CORS is useful to prevent malicious software. That's about it. For example, CORS assists in the enablement of SharedArrayBuffer.

My agreement still stands for everything else.

Collapse
 
kwnaidoo profile image
Kevin Naidoo • Edited

CORS, does offer some security benefits, but oh my word, is it annoying? Sometimes I just want to run "npm run dev" and not Nginx or the whole docker setup. Even on localhost you still get annoying CORS issues.

Previously we could just start the browser with: "--disable-web-security". This would allow localhost calls without CORS issues but I think they removed this at some point.

Collapse
 
peiche profile image
Paul

L take my dude

Collapse
 
xwero profile image
david duymelinck

What is the harm you mention? Time to set up the different environments? Tests failing?

Once there is a good development setup, I don't see no harm?

Collapse
 
sirzarganwar profile image
Martin Jirasek

Sure, you can proxy but better little trust of request source than nothing.
What's hard on implementing?

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More