Fork me on GitHub
#web-security
<
2022-10-30
>
Drew Verlee03:10:43

I'm trying to understand the advice here on cors to "not use a json but use a form encoding" https://youtube.com/clip/UgkxGDr7xID3EXluRN5FkxEI136uuxzMcazD

Drew Verlee03:10:40

> Is he talking about? application/x-www-form-urlencoded as in, that doesn't require a preflight request?

seancorfield03:10:39

I don't think he's saying that it avoids a CORS request, just that it makes life simpler.

seancorfield03:10:22

(but, I'll be honest, I've no idea why a POST with form-urlencoded is any easier/better than with application/json!)

👀 1
orestis12:11:01

That talk was very useful. The intuition about the CORS restrictions is that you can do from JS (XHR etc) whatever was possible to do with plain HTML. You could always make a form which makes a POST to any random server, and thus you can do the same with XHR with no restrictions. This is the so-called “simple” request. You have to use that form encoding because this is what the plain HTML approach uses.

seancorfield17:11:29

Ah, where you don't control the server you're POSTing to... OK, that makes sense... but then you don't have any control over whether that server supports CORS...?

orestis05:11:10

Exactly, for servers you don’t control (or if you want to expose your API to third parties, I guess), simple requests are allowed by the browser without preflight.

orestis05:11:42

I think though that modern browsers can even restrict those simple requests if the server opts in.

orestis05:11:08

There’s a ton of info in the talk