This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2022-10-30
Channels
- # announcements (1)
- # babashka (15)
- # calva (3)
- # cider (1)
- # clj-kondo (16)
- # clj-on-windows (1)
- # cljfx (1)
- # clojure (25)
- # clojure-europe (6)
- # clojure-spec (15)
- # cursive (13)
- # emacs (11)
- # fulcro (2)
- # humbleui (7)
- # introduce-yourself (1)
- # jackdaw (1)
- # off-topic (10)
- # pathom (5)
- # portal (3)
- # re-frame (7)
- # reagent (12)
- # releases (1)
- # shadow-cljs (8)
- # tools-build (18)
- # web-security (10)
I'm trying to understand the advice here on cors to "not use a json but use a form encoding" https://youtube.com/clip/UgkxGDr7xID3EXluRN5FkxEI136uuxzMcazD
> Is he talking about? application/x-www-form-urlencoded
as in, that doesn't require a preflight request?
which is this... https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
I don't think he's saying that it avoids a CORS request, just that it makes life simpler.
(but, I'll be honest, I've no idea why a POST with form-urlencoded is any easier/better than with application/json!)
That talk was very useful. The intuition about the CORS restrictions is that you can do from JS (XHR etc) whatever was possible to do with plain HTML. You could always make a form which makes a POST to any random server, and thus you can do the same with XHR with no restrictions. This is the so-called “simple” request. You have to use that form encoding because this is what the plain HTML approach uses.
Ah, where you don't control the server you're POSTing to... OK, that makes sense... but then you don't have any control over whether that server supports CORS...?
Exactly, for servers you don’t control (or if you want to expose your API to third parties, I guess), simple requests are allowed by the browser without preflight.