← Back to context

Comment by mort96

9 months ago

I hate CORS. Garbage like this is a large reason why. CORS works differently in every browser and every website.

I don't hate CORS when writing my own stuff, to be clear. Adding Access-Control-Allow-Origin: * to my own website's headers is easy enough. I hate when I'm using a website and something doesn't work and I look at the console and see CORS errors. Opening the same website in Chrome usually works.

I hate CORS.

4 comments

mort96

Reply
rnicholus  9 months ago

>CORS works differently in every browser and every website.

Do you have some examples of this?

  • mort96  9 months ago

    Not anything concrete, just memories of things not working, me looking at the JS console, seeing CORS errors, and seeing it work in Chrome, as I described. And the comment I replied to showed that it works differently between websites, namely:

        if (host == "tripadvisor.com"_s || host.endsWith(".tripadvisor.com"_s))
        m_needsRelaxedCorsMixedContentCheckQuirk = true;

    • rnicholus  9 months ago

      That's a site-specific partial exemption from the same origin policy, as far as i can tell (without further context at the moment). Not a difference in how CORS works generally across Safari.

      CORS is frustrating for a lot of developers as it can be tough to gain a complete understanding of the spec, and an understanding of the same origin policy is required. But implementation of the CORS spec(s) isn't notably different across modern browsers, now that IE is out of the picture. CORS was a real nightmare in IE. Microsoft even introduced an XHR cousin named XDR in IE10 to handle cross-origin requests, and it wasn't even a complete implementation of CORS.

      This is a great resource to gain a more comprehensive understanding: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

      1 reply →