If CORS is just a header, why don’t attackers just ignore it?

Zemnmez
Zemnmez
Aug 2 · 6 min read
artist’s rendition: world before CORS
live
mywebsite.com makes a request to itself, and to google.com/lookup via its backend servers as a proxy
mywebsite.com makes a request to itself, and to google.com/lookup via its backend servers as a proxy
live
mywebsite.com Javascript uses CORS to negotiate access to an API: a HEAD request confirms access
mywebsite.com Javascript uses CORS to negotiate access to an API: a HEAD request confirms access
live

Why don’t we just let anything request anything else and block cookies?

Image of Yes Man (a big computer) from Fallout: New Vegas with NO GODS, NO MASTERS above it.
Image of Yes Man (a big computer) from Fallout: New Vegas with NO GODS, NO MASTERS above it.
source

Zemnmez

Written by

Zemnmez

i’m trying http://twitter.com/zemnmez

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade