Prashant Ghimire Prashant Ghimire - 3 months ago 7x
Javascript Question

How does CORS plugin / --disable-web-security work on browser?

I'm sure I'm not the only one who have used/uses

plugin for browsers or
flag while making API calls to external (or even internal) API endpoints. I used this plugin to make Google Maps related API calls. But within the same application, ParseSDK API calls needed no

My question is : Why are these endpoints acting differently and how does CORS plugin solve the problem (even though we don't have control over those APIs)?

Thanks in advance.

Lux Lux

Well, what that plugin does is highly irresponsible; It actually disables the same origin policy, which enforces that a website on a specific origin can only make requests to that origin.

The same origin policy actually just prevents a website from reading the response of a GET/POST request, the request itself is made, because its considered save.

Over time this good security feature became a burden and people used workarounds like JSONP.

So we got a new, standardized way to access foreign origins:

CORS (Cross-Origin Resource Sharing) is a mechanism that allows a web server to specify that another origin is allowed to access its content. This is done with Access-Control-Allow-Origin: which allows to access the response even if the response is from a different origin.

The Access-Control-Allow-Credentials: true would also allow the credentials, which includes cookies and HTTP Basic authentication to be sent within the request.

You can also specify a wildcard for Access-Control-Allow-Origin: *, which allows all websites to access this response. However when you do this you have to specify Access-Control-Allow-Credentials: false, so no credentials are exposed.

This is the only correct way to implement a public accessible AJAX API in the internet.

However this plugin just simply disables the same origin policy completely which is extremely dangerous.