|
|
|
|
|
|
by davidfiala
660 days ago
|
|
|
Ideally TFA would have also explained why some requests do go through without a preflight. What's called a 'simple' request is the explanation behind TFA's whole premise. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simpl... These days, pretty much everything requires a non-simple request in order to invoke an action, regardless of whether the client can read the result. Agree'd in spirit though that CORS is annoying to use, and it's always worth consulting the manual. |
|
|
> pretty much everything requires a non-simple request in order to invoke an action
Except for POST request such as in forms. They may be a little out of fashion with JS-based frontends and JSON APIs but I would consider it a pretty gaping hole. If the list could be reduced to just HEAD and GET requests I would consider it a pretty complete protection. But POST seems like too big of a hole. (Although if you can block all requests that are POST with a "simple" Content-Type then you unlock a pretty robust protection.)