Cors is security enforced by the browser. When a browser app sends a cors request it's asking the browser to bypass that security by allowing requests to a server/origin where it wasn't served. The browser checks with the server (via the headers) before passing the data to our app. That's why the server needs to include the allowed origin header Credentials are in addition to cors "Access-Control-Allow-Credentials - HTTP | MDN"

p-himik 2021-06-30T22:32:05.248600Z

Ah, I stand corrected then, thanks! It's not the server that rejects a request, it's the browser.


I think so, but i'm I wouldn't be surprised to find i'm wrong. The language around the topic is somewhat confusing because the goal (reducing security) isn't typically what you want to do and the means (browser enforced) isn't where things are typically done. We tend to think of our apps being in control of the browser, but thats not really true, or at least, thats how i understand it. It's an OS and were operating at level above root.

p-himik 2021-06-30T22:41:16.249200Z

I just checked - you aren't wrong. :) And of course, I have read through the MDN page for CORS before, but seems like I have remembered it poorly.


I claim to have at least 4 years of web development experence and everytime i run into this issue i have to go re-read it because there is always a thing. Last time, i got everything right but wasn't actually passing the headers in my app request because i didn't serialize to js. (i had switched from lambda island cljs fetch to vannilla js fetch) The browser responds back with a catch all security message that lead me to believe i was crazy.