logoalt Hacker News

d--btoday at 6:56 AM2 repliesview on HN

A CORS protected endpoint tells YOUR BROWSER not to let YOU access its content if the website you’re browsing from is not whitelisted.

It’s confusing because unlike most security features, it’s meant to protect the users from themselves. The risk comes from a combination of users being allowed to visit malevolent sites and browsers letting all websites do a lot of random stuff, including making 3rd party requests with cookies and private stuff

Replies

IceDanetoday at 9:12 AM

Like the sibling said: CORS is the relaxation of default security features. It's even in the name: Cross-Origin Resource Sharing.

show 1 reply
user43928today at 7:49 AM

Isn't it arguably the opposite?

A CORS header in the response tells your browser to relax CORS restrictions.