Y
Hacker News
new
|
ask
|
show
|
jobs
by
felipelemos
2734 days ago
CORS is not a tool to turn resources private, but to protect the browser (not the server's content) from cross domain requests.
2 comments
scottydelta
2734 days ago
Exactly, the attacker can always not use the browser and emulate a browser request if motivated enough.
link
throwawaymath
2733 days ago
Yes, that's precisely why CORS is a poor fit for authentication :)
link
askmike
2733 days ago
Sure, but I don't see why the tip in OP is "don't use CORS". To me that implies there is actually something insecure about using it.
link
throwawaymath
2733 days ago
Yeah you can use CORS securely, there are just pitfalls to look out for.
link