web-security

Drew Verlee 2022-10-30T03:03:43.037309Z

I'm trying to understand the advice here on cors to "not use a json but use a form encoding" https://youtube.com/clip/UgkxGDr7xID3EXluRN5FkxEI136uuxzMcazD

orestis 2022-11-08T12:40:01.270949Z

That talk was very useful. The intuition about the CORS restrictions is that you can do from JS (XHR etc) whatever was possible to do with plain HTML. You could always make a form which makes a POST to any random server, and thus you can do the same with XHR with no restrictions. This is the so-called “simple” request. You have to use that form encoding because this is what the plain HTML approach uses.

seancorfield 2022-11-08T17:55:29.516159Z

Ah, where you don't control the server you're POSTing to... OK, that makes sense... but then you don't have any control over whether that server supports CORS...?

orestis 2022-11-09T05:39:10.376839Z

Exactly, for servers you don’t control (or if you want to expose your API to third parties, I guess), simple requests are allowed by the browser without preflight.

orestis 2022-11-09T05:39:42.939039Z

I think though that modern browsers can even restrict those simple requests if the server opts in.

orestis 2022-11-09T05:40:08.565999Z

There’s a ton of info in the talk

Drew Verlee 2022-10-30T03:06:40.635459Z

> Is he talking about? application/x-www-form-urlencoded as in, that doesn't require a preflight request?

Drew Verlee 2022-10-30T03:08:42.742699Z

which is this... https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

seancorfield 2022-10-30T03:30:39.714619Z

I don't think he's saying that it avoids a CORS request, just that it makes life simpler.

seancorfield 2022-10-30T03:31:22.462689Z

(but, I'll be honest, I've no idea why a POST with form-urlencoded is any easier/better than with application/json!)

👀 1