0

After dealing with this for several hours, I'm honestly curious as to why the Cross Origin Resource Sharing specification is so complex. How does the dance actually improve security? Would it not be as effective to just check the headers of the response, rather than making a separate OPTIONS request?

EDIT: Thanks for the link! Maybe my question will be more Googleable so people find the other answer more often.

monitorjbl
  • 4,008
  • 3
  • 30
  • 45
  • 1
    http://stackoverflow.com/questions/22107694/why-does-a-cross-origin-head-request-need-a-preflight-check/22108815#22108815 – Ray Nicholus Mar 07 '14 at 13:32
  • 1
    No idea why people are blindly flagging this as "primarily opinion based". There is no opinion required to answer this, only facts. See my answer to a similar question, which I linked to in my comment above. The OP is asking why preflights are needed as part of the CORS spec. That isn't a request for an opinion, nor is an opinion required to answer. – Ray Nicholus Mar 07 '14 at 13:34
  • `headers` are easier to spoof is why! – AO_ Mar 07 '14 at 14:00
  • @f00644: Huh? No. CORS does not have anything to do with spoofing. – Bergi Mar 07 '14 at 14:01
  • @Bergi, indeed.. but believing blatant headers for CORS, does.. – AO_ Mar 07 '14 at 14:02
  • See also: [CORS - What is the motivation behind introducing preflight requests?](http://stackoverflow.com/questions/15381105/cors-what-is-the-motivation-behind-introducing-preflight-requests?rq=1) – Bergi Mar 07 '14 at 14:06
  • @f00644 No, that isn't why. Preflighting doesn't solve that problem anyway. CORS isn't a security mechanism. It's a standard that allows cross origin browser based requests via JavaScript. Preflighting is simply a mechanism to ensure this new capability doesn't introduce any breaking changes for old or uninterested servers. – Ray Nicholus Mar 07 '14 at 14:06
  • @RayNicholus, I think we have started talking about 2 separate things... moving along.. – AO_ Mar 07 '14 at 15:03

0 Answers0