alt Hacker NewsIs there a reason this has to happen client side with extra pre-flight requests? Taking your example, why couldn't Facebook's server just check the origin header and then reject all request from unapproved origins server side instead?
Replies
mr_toad • today at 2:23 PM
It’s mostly for backwards compatibility. Sites don’t always check the request origin, the browser SOP mitigates that problem on behalf of the user.
It is the difference between opt-in and opt-out.
Servers certainly can (and probably should) check request origin. But it is not something they usually do, since cross-domain requests from JavaScript wasn’t possible before CORS.
If support for cross-domain request were introduced in browsers without requiring opt-in from servers, most sites would not be prepared against this new risk. It would open massive security issues across the web.