Developers don't understand CORS (2019)

	Developers don't understand CORS (2019)(fosterelli.co)
	381 points by toilet 1 day ago \| 260 comments
	tl;dr: Zoom's recent vulnerability stemmed from a hack to bypass CORS: their localhost webserver encoded response data in image dimensions to avoid AJAX restrictions, inadvertently exposing the API to every website. A proper fix would have been setting `Access-Control-Allow-Origin: https://zoom.us` on the localhost server. The author argues this reflects a broader pattern of developers misunderstanding CORS and working around it insecurely rather than configuring it correctly.
	HN Discussion: ↓The article itself misunderstands CORS, conflating it with SOP and misrepresenting what Access-Control-Allow-Origin actually does ↑The comment section proves the article's point that developers don't understand CORS ↑CORS is genuinely confusing because of poor error messages, changing standards, and infrequent exposure for many developers ~Understanding CORS requires first understanding the Same Origin Policy and the underlying threat model ↑Recommending educational resources like MDN to help developers actually learn CORS properly