Hacker News new | ask | show | jobs
by pseudotrash 1028 days ago
I love Firefox. The only time I struggle it's because it is the only browser today that correctly implements CORS. This is a good thing. But it means broken middle boxes and MiTM enterprise tech (like Zscaler) should fix their stuff rather than pointing their smelly fingers at Firefox.

Mozilla should up its game in educating the public that Edge and Chrome aren't following the standards correctly. This seems IMHO pretty important in a world where everything relies on the browser to sandbox things.
5 comments
jefftk 1028 days ago
> it's because it is the only browser today that correctly implements CORS

What's the difference in their CORS implementations? As far as I know all three major browser engines follow the modern spec.

link
BeefWellington 1028 days ago
Firefox correctly implements the behaviour when CORS is not properly configured, rather than failing to "the old way".
link
jefftk 1028 days ago
Huh? If I have a resource I serve without Access-Control-Allow-Origin headers, all three browser engines won't make it available in cross-origin contexts. [1]

For example, here are a pair of pages which make a cross-origin fetch for a resource that either does (yes-cors) or does not (no-cors) opt into cross-origin resource sharing. In all three browsers yes-cors displays the contents of the resource, and no-cors (correctly) displays "error".

https://www.kingfisherband.com/test/yes-cors

https://www.kingfisherband.com/test/no-cors

[1] With the exception of some standardized legacy cross-origin contexts like images, but then they all protect the contents in the same way.

link
AnonC 1028 days ago
> Mozilla should up its game in educating the public that Edge and Chrome aren't following the standards correctly.

I don’t think most people care about this. What they may care about is whether something works on their default browser, which is likely to be Edge or Safari or Chrome. Mozilla should instead target Microsoft and Google on the standards tracks and in forums where discussions on standards (and on security) happen.

link
bobbylarrybobby 1028 days ago
Yeah, never gonna happen. The same reason browsers support broken markup: users are much happier when their browser works in the face of noncompliant sites than if it were to throw its hands up and say “this site doesn't work, use <other browser>”
link
sneak 1028 days ago
The public doesn't care about those things and this would be a waste of time and money and brand attention span on the part of Mozilla.

Ultimately we have already passed the point where the web is defined by what Chrome (and to a limited extent what MobileSafari) does.

link
thejohnconway 1028 days ago
You don’t need to convince the general public on these points, just a large enough subset (like nerds). This situation has happened before with Internet Explorer, and can be fixed again.
link
cozzyd 1028 days ago
Isn't that what the CORS Everywhere extension is for? Or am I misunderstanding.
link
freedude 1028 days ago
One of the problems with promoting standards is that standards are made by imperfect committees. And they can solve a different problem than exists in the real world.
link
hk__2 1028 days ago
> One of the problems with promoting standards is that standards are made by imperfect committees. And they can solve a different problem than exists in the real world.

Which solution are you suggesting? Not having a standard?

link