Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

CORS (Cross-Origin Resource Sharing) attempts to mitigate web security issues caused by implicit credentials in cross-origin requests. Despite its flexibility, it doesn't fully solve the problem of cross-site request forgery (XSRF). A recommended solution is to use explicit credentials like API tokens and setting same-site attributes on cookies. Additionally, implementing server middleware to block implicit credentials can enhance security.

CORS is Stupid

CORS are not just due because of Session Management. They are great protection against fishing attacks as well.
You cannot just rely on a developer to implement it correctly, since that is a huge risk as unfortunately not everyone will be informed about this topic, nor do it correctly.
CORS are quite sophisticated and not having to worry about the security issues is great. Sometimes cors gets in the way, but in that case you could just change your CSP to allow your use case. Obviously, to do so you need to be the owner of the website, or otherwise you are trying to use the website in an intended way.

For some reason, I’d want to agree with you.
Like, isn’t the whole point access restriction?
All this could be done with actual code.

“CORS is stupid” feels vapid
Nothing in tech is inherently stupid. Most of the time when it’s called stupid it’s because the dev saying so doesn’t understand it.
In this case you are literally advocating that all devs do more work instead of letting just the browser devs implement a lockdown mechanism and default server software to apply the same.
CORS isn’t hard to setup for a domain and the only people i see having trouble with it are devs who only know how to test endpoints using postman instead of writing code that actually talks to the endpoints, or devs who do not know how to setup their own endpoints in the first place. This means it’s a lack of knowledge, not even skill.
Learning CORS is something you can do in an afternoon for your specific codebase and needs. It’s slightly different per stack, but in the end all code is close enough and you can ask whatever AI tool you use to give you the correct syntax for it.
CORS is not stupid. Learn it. Move on.

As a PenTester, I’ve worked for a company that had two projects… One using ColdFusion, the other Grails. While I was able to pull of a CSRF attack on CF, I couldn’t pull off any similar attacks on their Grails application. Grails backed in CORS options as a mitigation strategy and it worked. IMO, any idea to rely on middleware is just asking for yet another problem. That said, the correction made in CF against CSRF was a home grown solution and it worked just as good at mitigating the CSRF exploits being used. I did advise the company to also add same-site cookies and CSP to further harden their approach, but the built in CORS was a nice touch and it’s easy to enable: <a href="https://www.360learntocode.com/2022/07/how-to-enable-cors-in-grails-application.html" target="_blank" rel="noopener nofollow">https://www.360learntocode.com/2022/07/how-to-enable-cors-in-grails-application.html</a>
I’m all for solutions, and as such I can’t agree that “CORS is stupid.” It works in frameworks like Grails, to stop some sophisticated attacks. It at leasts blocks the easiest, to middle tier CSRF attack vectors.

Cors Is The Equivalent Of The Elden ring Final Boss