Hacker News new | past | comments | ask | show | jobs | submit login

The author hasn’t clarified yet, but I suspect what they’re referring to is the fact that CORS does not support granular access control. If you make something public under CORS, any client can retrieve the resource if no other authorization or authentication check is in place. It’s not a system of authentication, it’s a system of authorization - specifically, for authorizing hosts to request resources which normally wouldn’t be authorized to do so under same origin policy.

As a concrete example: people occasionally misuse the Origin header, thinking that they can use it as a form of client authentication. The idea is that any client request from a non-whitelisted origin will fail. But any user can spoof their own Origin header, and the Origin header is primarily intended to protect users from making CORS requests they didn’t intend (because in most cases an attacker cannot coerce a browser to forge a header).




CORS is not a tool to turn resources private, but to protect the browser (not the server's content) from cross domain requests.


Exactly, the attacker can always not use the browser and emulate a browser request if motivated enough.


Yes, that's precisely why CORS is a poor fit for authentication :)


Sure, but I don't see why the tip in OP is "don't use CORS". To me that implies there is actually something insecure about using it.


Yeah you can use CORS securely, there are just pitfalls to look out for.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: