re: Understand CORS, Why Is CORS So Important For Web Development? VIEW POST

re: I believe cors is only the browser thing. There are some ways to bypass the cors on browser , Chrome for example. We can turn off the check for cor...

You are all a bit right I think.

So, CORS being a browser thing: Initially, browsers wouldn't allow a running script to make calls to any resources from another origin. Now they do using CORS. We configure CORS using the extra CORS headers available. It is a "browser thing" in terms of the fact that the policy enforcer is the browser. So the entity blocking access to extra origin resources is the browser. The minute you have moved outside of the browser space unless you implemented some sort of CORS policy enforcement yourself, CORS does not apply.

So in your example @hemant , running your service on localhost:3000, if I just build the request myself (outside of a browser) there is nothing stopping me accessing the resource in terms of CORS.

So in terms of policy enforcement, it is only browser-specific.

In relation to what you do on the backend: For the browser to do CORS policy enforcement it specifies a number of headers that must be set, depending on the situation (credentials, methods, extra headers), but the simplest is Access-Control-Allow-Origin. So on the backend, we do have to do something to allow cross-origin calls, and it is just setting the relevant headers, otherwise, the browser will not give the extra origin script access to the resource. As above, outside of the browser environment this does not apply.

In relation to CORS being needed for microservices: It is most definitely extremely useful, but it isn't strictly needed. If we are considering service to service communication, CORS is not a consideration in this domain. Unless you implemented something CORS like yourself, services can communicate with each other just fine without it.

It is only a consideration for your public (browser accessed) API. But not required, I could just create a number of microservices, the public (browser accessed) elements of which are all within one API gateway and so under the same origin.

Of course, we couldn't share them (unless we did it all on the backend), and that is where the CORS relaxation on SOP is useful.

Code of Conduct Report abuse