Honest web dev question:

Why is CORS necessary? If the cookies, etags, cache, etc. were completely separated from those used for first-party requests to the site, what would be the security issue with allowing fetch() for any URL?

Allowing the fetching of any URL from the frontend, regardless of CORS headers, would:
- Reduce the server costs/load for a lot of web apps
- Improve user experience due to a faster response time for external URLs that currently need to be fetched through a proxy/backend

@booligoosh tbh I think there is also an unspoken "business" reason behind this, namely a way to prevent YOUR service from accessing MY "public" server. I haven't found this in any of the official explanations but I would be shocked if it wasn't some kind of consideration during the original discussions. but basically it is a way to provide a "public" resource that still requires users to give the owners of that resource like, ad traffic

@booligoosh web developers asking questions like this is why I always block js, it makes me scared.

@sotolf @booligoosh Asking questions is probably the last thing we should be discouraging :)

Here’s a discussion with lots of valuable information on the subject:

@aral @booligoosh asking sure, giving arguements for not wanting to have it was also a part of the chain, I see no reason for anyone to want less security on the web.

@aral @sotolf @booligoosh great question, i was wondering the same thing, always found it frustrating, will check out the qa

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.