R
R
Roman Makarov2015-10-17 02:09:47
Computer networks
Roman Makarov, 2015-10-17 02:09:47

Why do you need cors?

There was a discussion right now. Why is this CORS needed, because in fact it allows the js code to send data to any server, and this server, in turn, already decides whether to take this data or not. Those. it's like walking up to a stranger on the street and saying "here is the number and pin of my card: xxxxxxxxxx"

Answer the question

In order to leave comments, you need to log in

1 answer(s)
S
Stalker_RED, 2015-10-17
@vollossy

1. JS can send data anywhere, GET request, for example.
2. CORS is needed in order to allow the CLIENT (browser) to accept certain types of resources.
Traditionally, a browser can include images, iframes, scripts, and flash from other domains, but cannot use ajax or web fonts unless that domain is on the server's Access-Control-Allow-Origin list.
UPD: I will add, otherwise, judging by the comments, some people have a distorted idea of ​​​​CORS.
To begin with, it is worth understanding that cors is a way to bypass the same origin policy
Once upon a time, back in the days of win95, in order to complicate xss and phishing, Netscape introduced restrictions on scripts executed in the browser. A little later, other browsers also caught up.
If on the fingers, then it works like this: Vasily opened an online store "windows, balcony, cheap, without SMS" and inserted an iframe widget from PayPal, for example. And same origin protects this iframe, Vasya's scripts cannot affect its content.
The same thing in the other direction - the site has set itself the left informer in the iframe, and the scripts of this informer cannot affect the main site.
Sometimes there is a situation when you need to connect some resources from your own subdomains or from partner domains. And if you need access to those resources, you use cors to reverse the same origin.
In any case, cors is just additional headers returned by the server. They will not prevent "third parties" from gaining access to these resources. In extreme cases, they can be downloaded with wget.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question