Answer the question
In order to leave comments, you need to log in
Why doesn't CORS protect form submission?
To make sure that the post request comes from the current site, we came up with tokens. If there is no token in the cookie, then the form was sent from another site.
Why not just prevent the form from being submitted if the two sources are different. Why does CORS only protect ajax fetch?
Answer the question
In order to leave comments, you need to log in
Not necessary. The goal of all protection is to prevent obtaining data from another site or performing actions on it from under an authenticated user. Even AJAX requests to another site pass, but the browser will not give access to the result if the CORS headers are invalid. And without executing the request, there is no way to find out what the headers are.
To make sure that the post request comes from the current site, we came up with tokens. If there is no token in the cookie, then the form was sent from another site.This is tantamount to a lack of protection. Cookies will be set automatically by the browser and the verification will pass. Therefore, the token must be transmitted in the form itself.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question