Honest web dev question:

Why is CORS necessary? If the cookies, etags, cache, etc. were completely separated from those used for first-party requests to the site, what would be the security issue with allowing fetch() for any URL?

Allowing the fetching of any URL from the frontend, regardless of CORS headers, would:
- Reduce the server costs/load for a lot of web apps
- Improve user experience due to a faster response time for external URLs that currently need to be fetched through a proxy/backend


Let me know if I'm missing something!!

@booligoosh tbh I think there is also an unspoken "business" reason behind this, namely a way to prevent YOUR service from accessing MY "public" server. I haven't found this in any of the official explanations but I would be shocked if it wasn't some kind of consideration during the original discussions. but basically it is a way to provide a "public" resource that still requires users to give the owners of that resource like, ad traffic

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.