upvote

points

by stephbook15 hours ago |
comments
upvoteby abraham15 hours ago|
next
[-]
By default cookies are sent for cross-origin requests. The SameSite cookie flag that lets sites control this was only shipped in Safari the year before this blog post was written so it would have been hard to depend on it yet.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Coo...

reply
upvoteby rswail7 hours ago|
prev|
next
[-]
CORS relaxes the rules about what requests the browser can make.

The server doesn't get to stop the browser making calls that it didn't want, so it's a browser security feature, to stop the browser sending cookies where it shouldn't, or more precisely, to only send authentication and other info where it should.

It relaxes the same origin policy.

Usually a browser will not load resources from another origin based on the HTML it receives. If the page is from example.com, it won't allow you to load a page from example.org.

That stops things like authentication and cookies etc from example.com being transmitted to example.org if someone hacks the webpage.

CORS allows the server to relax those rules so that it can say "You can load resources from me, or from these other servers."

So it can say "I'm example.com but you can load resources from example.org and that's OK."

At least, that's how I think it works :)

reply
upvoteby inigyou11 hours ago|
prev|
next
[-]
Your cookies are sent.
reply
upvoteby koolala10 hours ago|
parent|
[-]
Then why wasn't credentialless a simple fix to solve that. Not sending cookies isn't hard.
reply
upvoteby inigyou8 hours ago|
parent|
[-]
Because that would break things. You couldn't stay logged into HN without cookies. Cookies aren't just for credentials, imagine hotlinking to an image and getting a different language version because your language cookie wasn't sent.
reply
upvoteby koolala8 hours ago|
parent|
[-]
I thought we were talking about cross origin requests. I've not encountered content worth hotlinking that can't work on first load without cookies. That seems like a slim hypothetical that doesn't justify banning the ability entirely. You don't attach cookies just to wget something from a server.
reply
upvoteby mr_toad5 hours ago|
parent|
[-]
Nevertheless cookies being sent with HTTP requests was how it worked before Javascript was invented, and at the time Netscape had to work with that for compatibility reasons.

If we’d known then how the web is used now then a few things might have been done differently.

reply
upvoteby koolala4 hours ago|
parent|
[-]
But it can easily be done differently. Its entirely possible to have the option available without cookies. It doesn't break backwards compatibility and no one has to use it in a situation where they need cookies. Cookies shouldn't be forced on people.
reply
upvoteby teaearlgraycold15 hours ago|
prev|
[-]
Cookies will be sent if SameSite=None. Because a lot of the web's security features were implemented well after the tech was popular it's a patch-work with lots of overlap.
reply