Hacker News .hnnew | past | comments | ask | show | jobs | submitlogin

> If you were a web developer before CORS existed, then you understand that cross-domain requests were forbidden all along

They weren't though. We had to adjust in the 2010s so existing code wouldn't break. It was something like, Chrome set a deadline after which it would be forcing the same-origin security by default, where it was off or optional before.



That’s not correct at all. Are you confusing it with SameSite or something like that?


I may be wrong about the specific security thing involved, but I know it would have broken ajax requests (probably XMLHTTPRequest, not fetch) to different domains had we not made changes to deal with it. They worked without issues before that.


You could not make cross-domain Ajax requests at all until CORS came along. There were lots of workarounds people had to invent (e.g. JSONP, Flash shims, proxying, etc.) precisely because this security barrier has been in place since the mid-90s, a couple of decades before CORS came along.

The whole point of CORS was to enable cross-domain requests.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: