An interesting thing about CORS is how poorly understood... | Simon Willison

Simon's posts Post Back to profile

An interesting thing about CORS is how poorly understood it is and how difficult it is to find a really clear explanation

I’m not sure I could write a clear explanation myself

The best I’ve seen is https://jakearchibald.com/2021/cors/

Like 23 August at 22:48 | Open on fedi.simonwillison.net

7 comments

@simon CORS and OAuth are the two topics I just can’t keep in my head. Every new project I struggle to set these up correctly, bang my head against it for multiple hours and finally go read up from first principles. Once it’s working I forget all about it until the next project

23 August at 22:59 | Open on social.mattburkedev.com

Daniel Lindsley

@simon I really like https://javascript.info/fetch-crossorigin 's explanation. It's long, but comprehensive (IMO).

23 August at 23:02 | Open on mastodon.social

Daniel Lindsley

@simon And while I'm at it, *cough* https://toastdriven.com/blog/2024/aug/19/django-fetch-and-cors/ *cough*

…Not that I'm any judge if it's any good or not.

23 August at 23:03 | Open on mastodon.social

yogsototh

@simon what I kept working with CORS is that it is a security measure that is very easy to circumvent. See my short post about it https://her.esy.fun/posts/0025-a-quick-cors-proxy-in-a-few-lines-of-clojure/index.html

24 August at 8:23 | Open on ieji.de

@simon indeed is cryptic. The best reference I found was this one: https://jub0bs.com/posts/2023-02-08-fearless-cors/#cors-101

But the one you shared looks nice!

24 August at 8:47 | Open on mastodon.social

happyborg

@simon I hope CORS is half as frustrating for those trying to break web security as those of us just trying to do legitimate stuff 🤦‍♂️

24 August at 8:53 | Open on fosstodon.org

jub0bs

@simon I tried my best in this section of an old post: https://jub0bs.com/posts/2023-02-08-fearless-cors/#cors-101

19 September at 13:57 | Open on infosec.exchange