We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
"A Hipster History of CORS" by Devdatta Akhawe (Strange Loop 2022)
Discover the history of CORS, from its birth to its evolution in response to browser vulnerabilities and security concerns.
-
CORS was born out of necessity
- Browser’s inability to prevent data leakage across sites led to CORS
- Introduced origin headers and restrictions on loading assets from other sites
-
Simple and complex requests
- Simple requests don’t require preflights; complex requests need CORS approval
- CORS works by checking allowed origins and headers before loading assets
-
Early days of web development
- Netscape and Internet Explorer dominated early web browsers
- HTML and CSS still developing, security concerns arose
-
Spectre and the shift to CORS
- Spectre exploits browser vulnerabilities, forcing shift to CORS
- CORS aims to isolate JavaScript-based attacks, limiting data leakage
-
Pre-CORS web development
- Images, scripts, and other assets could be loaded from anywhere without explicit consent
- Security concerns arose as data leakage increased
-
Modern web development
- CORS provides controls on loading assets from other sites
- Security concerns reduced, but still present
-
Other policies and features
- Cross-origin opener policy: sets default origin for opening new tabs
- Cross-origin embedded policy: requires explicit consent for embedded content
- Access control request headers and methods: specifies allowed headers and methods