Comment by mort96
9 months ago
Not anything concrete, just memories of things not working, me looking at the JS console, seeing CORS errors, and seeing it work in Chrome, as I described. And the comment I replied to showed that it works differently between websites, namely:
if (host == "tripadvisor.com"_s || host.endsWith(".tripadvisor.com"_s))
m_needsRelaxedCorsMixedContentCheckQuirk = true;
That's a site-specific partial exemption from the same origin policy, as far as i can tell (without further context at the moment). Not a difference in how CORS works generally across Safari.
CORS is frustrating for a lot of developers as it can be tough to gain a complete understanding of the spec, and an understanding of the same origin policy is required. But implementation of the CORS spec(s) isn't notably different across modern browsers, now that IE is out of the picture. CORS was a real nightmare in IE. Microsoft even introduced an XHR cousin named XDR in IE10 to handle cross-origin requests, and it wasn't even a complete implementation of CORS.
This is a great resource to gain a more comprehensive understanding: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
I don't hate CORS from a developer perspective, I hate it from a user perspective, and from a broader "health of the web" perspective. Because, as I said, it works differently between browsers and it works differently between websites within the same browser. Mostly these differences just mean I have to use Chrome instead of my preferred browser.