no need to drive them, frontend devs will do it by themselves

see also: OAuth 2

​@@btonez13OAuth2 is great wdym? It's also easy to implement yourself either from documentations (Microsoft has some good ones) or from the RFC

Omg literally me

I believe all front-end tech has that goal

Yeah. CORS is definitely a flawed spec, no doubt about it, but the “obnoxious” bit here is a Next thing

Most definitely, it just shows how immature these JS frameworks for backend are. I mean its not end of the world as CORS is not THAT complicated. Also the preflight (OPTIONS http verb call) is meant for browsers to check the response headers so that the actual request can/cannot be sent, if can be sent then after the actual request browser checks that request response headers for the actual response.

Oh yes these Js framework's are really immature, I did try to implement API using nextjs lots of issues like this. Java , phyton or c# is better for API development. I switched to remix for frontend from nextjs.... Much more flexible and uses unwrapped native node JS request and response.....

@@MrRaitiz indeed, he key point about OPTIONS is that it guards against any side effects of the request, effectively to guard against a CSRF attack. Servers could guard against this by checking the CORS headers before carrying out the request, but it looks like the CORS spec takes a precautionary approach and assumes the server does not do this, The weird thing is the websocket spec takes the opposite approach and relies on the web sockets server to validate the Origin header within the app logic. I wonder how many webscketa servers do not check the Origin.

I agree, this is a framework problem. On top of that, with server actions nextjs implemented an origin header check on the server. This is obnoxious part, instead of providing a good DX on top of a browser enforced CORS, they implement something else, that is much less flexible, adding another set of error messages to the pile. Have fun implementing a multi tenant app where users suppose to point their custom domain to your app. You’ll need to know all allowed hosts at build time AND still have to deal with CORS to prevent cross scripting issues between your tenants …

Get out!!!

​@@rubendacostaesilva8442😂😂😂😂

Banger

Bruh

FR1!1!

yea this video missed the mark soo bad, it comes off like Theo doesn't really understand what CORS solves.

As always, i found out that vercel with next only makes problems 😂

that won't solve node.js cor's issues :D

@@GamePlayByFaks fun fact cors package is configurable on nodejs

@@fnfal113 let's be real not everybody add's packages to handle cor's that's just reality of it, since dependency hell on nodejs all ready is a thing... Note: Also don't forget not everybody use latest and greatest stuff around, like we have spa vue.js v1.x with node.js that is a bit outdated, so each time is a gamble.

Thank you, exactly what I wanted to say. Nodejs logic: "we can't write proper code to handle a web standard or copy solution from other technologies" = "web standard is stupid". Guys, just look how it is done in other frameworks, why do JS devs need to invent everything again from scratch?

@proosee ​because node isn't a framework, it's an engine to run JS outside of the browser.

Ty for heads up, thankfully that key hasn't been valid for over 2 months lol

why were you watching it in slow motion? 😂

@@ninjaasmoke People who are into security look very closely whenever somebody streams code. That black box redacting something which than moves behind that block is just asking to be checked out frame by frame 😂

@@ninjaasmoke there have been cases of filtering of... fingerprints or other codes. Wikipedia was requested to remove the FBI badge at wikimedia

The Twitter replies shown in this video are enough to conclude that people have no idea what they are doing.

@@31redorange08 what is worse is that many devs working in big companies do not know either. Since web dev became an industry, real knowledge has declined.

Agreed allowing all in prod is NOT a solution.

the entire video itself is just web dev skill issues

Productive devs vs senior devs problem right there. @@phillipgilligan8168

Laravel has built in package to handle that but if you have outer api for spa or whatever then that solves only one way not the other from node.js

@@GamePlayByFaks i meant cors.php in config folder

@@SanderCokart okay.

Agree. CORS is basically a way for you to opt into which domains are allowed to interact with your server. How is that a bad thing? Complaining about CORS existing is like complaining about passwords existing. Would you be angry that passwords exist to allow you to opt in to who is able to access your accounts (if you even choose to allow this)? I doubt it. And from the other perspective, for those front end apps running in the browser on various domains out there, it was a backwards compatible way to make sure sensitive data wasn't being transmitted to 3rd party domains. Security by default is a good thing. The fact they added cross-domain AJAX support in a backwards compatible way like this is impressive. I do realize it can feel complex to people who've never worked with it before. And that complexity can be magnified when you're working with a 3rd party thing (like this video creator is) who is also doing something complex, like running things meant to be run on servers in the browser. Now you're at the mercy of how that 3rd party works. But you've always got the freedom to choose to simply not use that service. Anyone new to CORS who is frustrated with it should use the same solution they've probably found successful so far when dealing with new things. If it's too complex, provide feedback to its creators so they can simplify it (CORS probably cannot be simplified any further) and then try as hard as you can to learn it. MDN has great resources for learning how CORS works. One more tip I'll leave for people... embrace proxying if you need it. It's not the evil, dirty workaround it might seem to be. Browsers have no way to know that two domains are owned by the same party, so they have no way to trust a different domain when a request is being made to it. If you proxy the requests you want your app to make, hosting the proxy on your domain, the browser doesn't have to worry about this. You're vouching for that service to the browser. It simply makes another call to your domain, like it's doing for every other call to your backend. This doesn't even have to be a separate application. It can just be another route in your back end application if you want.

web people don’t actually understand how the web works

Except for that not every request does need an option preflight request. As long as your request qualifies as a „simple request“ (specific content types and no non standard headers, etc) your browser will not issue a preflight request, but the response still needs the proper cord headers present

@@Mooooov0815 the "simple" requests are there for backwards compatibility reasons. GET calls with no additional headers (same as embedding an IMG tag in your document) or POST requests that do a simple application/x-www-form-urlencoded plain old form stuff.

@@Mooooov0815 If the request does not cause a modification on the server (i.e. GET), then it does not need a preflight, because you can simply filter when the response comes. But for a request that causes a modification on the server (i.e. POST), filtering on the response would be too late, so you need to check first.

" instead checking the Origin header would simply be left to the server." - im pretty sure that's how it is anyway.

@@RaZziaN1 The point is that for normal HTTP calls that's *not* the case right now, just for websockets as those are new.

⁠@@RaZziaN1 not quite - most properly written websites would have CSRF protection jest originated from the same request, but as the Origin header is recent and not sent on all requests it would probably not be checked at all

...because backwards compatibility minutiae is piling up saddling modern web development with past bad decisions.

@@DavidMulderOne but I can just extract the origin, validate it, and set the cors to allow it? or am i missing something?

Yes, you're absolutely correct. Unless the application needs to dynamically set the allowed source based, for example, on the user authenticated, you should deal with CORDS on Nginx, Apache, etc.

You can hate something that is difficult to work with even if that added difficulty is a net good.

wow did you say it? I agree! Also, you should never set Access-Control-Allow-Origin = *, unless your API is meant to accept requests from unknown sources.

@@Rust_Rust_Rust Ok, I can agree. But CORS couldn't be more simpler. I'd even argue its failure is to be too simple : for example being able to only declare one domain as an allowed origin. They could have allowed you to just send back a coma separated list. But I don't see how CORS is "difficult to work with". It's a bunch of headers that tells a browser what methods it can use and from what domain, for a certain URL. Nothing more.

@@Hexalyse lol lol arguing it's too simple while pointing out a main cause of why it's not simple. LOL 🤡🤸

@@TheNewtonI'd like to see him hook up a front end to an API he hasn't worked with before on a live stream. If you think CORS couldn't be "more simpler", either you're amazing, or don't code very much.

StackOverflow says you add it to the permissions part of your chrome extension manifest. Hopefully this is still a correct answer, it’s 11 years old :) See “CORS Chrome Extension with manifest version 2 Is it possible to use CORS when writing a google chrome extension?”

error pages usually dont emit the correct cors headers

How did you fix it?

no issue with flickering for me

​@@RaZziaN1its very subtle, I can see it in my tv and phone very well, but it is harder to spot on my monitor (I can still see it though, but it is definitely not as annoying as on my tv, probably due to local dimming)

Let us connet, I would like to test my online voting solution API .

😂😂omfg

The issue with this approach is that if the victim is on an internal network it would allow access to internal services through a malicious websites. The localhost restriction is probably there for a good security reason as well

I think when he said sockets he meant websockets, which does not need CORS to go cross domain - instead the server is supposed to validate the Origin header. The reason CORS has a preflight request is because some web endpoints may predate CORS and not know to check the Origin header, and would be vulnerable.

No, you apparently don't understand CORS.

At the time, I thought since running Node JS could circumvent CORS, I found StackBlitz, to run WebContainers with NodeJS, maybe this could get away too, but this always stayed a theory.

MeToo

csrf token that rotates after every request

I was just about to say. This is no more than a skill issue. Dont't be hating on stuff that increases security and safety on the net.

The only reasonable comment here.

No, you always needed the subsequent requests to also respond with the appropriate CORS headers, otherwise the browser would not allow you to access the response.

Wow, that seems a bit excessive, I wonder why that was designed in such a manner.

Its there to protect that user, not other users, so if a user jumps through the hoops (its surprisingly hard to do this on Chrome without an extension) then they’re at most screwing thenselves.

Does it differ in between different versions of same browser though? Just wondering, because knowing world of developers it could very well be so.

So many answers on stack overflow do the same... Which is a pity.. always try to understand why things happen

What issues in this video were Next specific?

So nextjs address this issue with elegant solution?

5:05 you shouldn't have to write the same code twice. That's the reason Middleware is great. I'm sure we could make a better design. I'm not super familiar with nextjs new app router but it seems like some of your headache comes from these nextjs patterns. Maybe a server with Middleware is a better approach. Love your content let me know what you think