[arcbyte]

I never understood the difficulty with CORS. It's dirt simple: don't send requests across domain names. And if you do, make sure you return header(s) from the target resource to specifically allow the origin to request it.

All the difficulty seems to be people trying to do crazy, esoteric things there's no good reason to be doing in the first place.

[politician]

There's a lot of arcana that you're skipping over. It's easy to get CORS partially working on your development machine only to watch it fail in production or only fail on certain browsers or certain ports. There's silly things that need to happen if your application receives traffic from multiple domains. Our CORS middleware is ~100 LOC.

[capableweb]

> Our CORS middleware is ~100 LOC

What?! For responding to OPTIONS requests and setting the right header on responses from your backend?

I don't really see the problems you're citing to be a cause of "complexity in CORS" either, but more not having a proper development setup or similar. CORS is specifically about domains. As long as you set the frontend domain as accepted origin in your responses from the backend (and respond to OPTIONS), you're good to go.

[blacktriangle]

I wouldn't call trying to write a web app that aggregates across multiple services on the client-side doing something crazy.

[capableweb]

But what does that have to do with CORS? If you're just writing the client-side code (what runs in the browser), then you have no control over 3rd party origins, hence either you can use their API or not. Unless you write your own backend also, and then supporting CORS is trivial.

[arcbyte]

That's very crazy. The fact that you don't think it's crazy is a sign of hoe ludicrous front end development has gotten.

[jeswin]

If I'm writing say a code editor on example.com, is it "crazy" that I'd want to fetch a list of projects from GitHub.com?

What are you saying?

[cyphar]

Why do you need to run that on the client? And even if you do need to run it on the client for some reason, GitHub has APIs that you could use which have an allow-all CORS policy (as all APIs do).

CORS is defending against a particular class of attack, which is indistinguishable from the scenario you outlined: evilexample.com wants to get access to your private repos on GitHub (which can be reached purely through GET requests).

[jeswin]

The post I was replying to seemed to be saying that invoking multiple services from the client is "a sign of how ludicrous front end development has gotten."

> Why do you need to run that on the client?

Because it's a good idea (less wasteful) to do that on the client. Rather than wasting bandwidth rerouting it via my own server.