[blacktriangle]

I wouldn't call trying to write a web app that aggregates across multiple services on the client-side doing something crazy.

[capableweb]

But what does that have to do with CORS? If you're just writing the client-side code (what runs in the browser), then you have no control over 3rd party origins, hence either you can use their API or not. Unless you write your own backend also, and then supporting CORS is trivial.

[arcbyte]

That's very crazy. The fact that you don't think it's crazy is a sign of hoe ludicrous front end development has gotten.

[jeswin]

If I'm writing say a code editor on example.com, is it "crazy" that I'd want to fetch a list of projects from GitHub.com?

What are you saying?

[cyphar]

Why do you need to run that on the client? And even if you do need to run it on the client for some reason, GitHub has APIs that you could use which have an allow-all CORS policy (as all APIs do).

CORS is defending against a particular class of attack, which is indistinguishable from the scenario you outlined: evilexample.com wants to get access to your private repos on GitHub (which can be reached purely through GET requests).

[jeswin]

The post I was replying to seemed to be saying that invoking multiple services from the client is "a sign of how ludicrous front end development has gotten."

> Why do you need to run that on the client?

Because it's a good idea (less wasteful) to do that on the client. Rather than wasting bandwidth rerouting it via my own server.