Honest web dev question:
Why is CORS necessary? If the cookies, etags, cache, etc. were completely separated from those used for first-party requests to the site, what would be the security issue with allowing fetch() for any URL?
@booligoosh tbh I think there is also an unspoken "business" reason behind this, namely a way to prevent YOUR service from accessing MY "public" server. I haven't found this in any of the official explanations but I would be shocked if it wasn't some kind of consideration during the original discussions. but basically it is a way to provide a "public" resource that still requires users to give the owners of that resource like, ad traffic
Here’s a discussion with lots of valuable information on the subject: https://security.stackexchange.com/questions/8264/why-is-the-same-origin-policy-so-important
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.