CORS
UPDATE: Since making the video, I've learned two important things that I didn't mention/emphasize in the video:
1. The point of the same origin policy is NOT to prevent you from _making_ requests. It's to prevent you from _reading the responses_. It sucks, but unfortunately, cross origin requests are possible regardless of whether or not we limit XMLHttpRequest (see http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf). The request part of the attack is called Cross Site Request Forgery, and to guard against that, we use authenticity tokens. The part where you read the response and access that private information is what the same origin policy guards against.
2. Why require preflights? Why not just have the server parse incoming requests, and decide whether or not the requester is authorized? Requiring a preflight leads to an extra round trip, and is slow, right? Well, we could put the burden on the server developers to opt out. But what if they forget to opt out? That would be bad. It's safer to require everyone to opt _in_. That way, there aren't (as many) careless security vulnerabilities.
--------------------------------------------------------------------------------------------------------------
A description of how CORS works.
Docs (useful): https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Other ways around the same origin policy: http://www.sitepoint.com/working-around-origin-policy/
I also wrote this stupid little blog post about it: https://medium.com/@adamzerner/web-security-a-story-8bba0587b34d
Видео CORS канала Adam Zerner
1. The point of the same origin policy is NOT to prevent you from _making_ requests. It's to prevent you from _reading the responses_. It sucks, but unfortunately, cross origin requests are possible regardless of whether or not we limit XMLHttpRequest (see http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf). The request part of the attack is called Cross Site Request Forgery, and to guard against that, we use authenticity tokens. The part where you read the response and access that private information is what the same origin policy guards against.
2. Why require preflights? Why not just have the server parse incoming requests, and decide whether or not the requester is authorized? Requiring a preflight leads to an extra round trip, and is slow, right? Well, we could put the burden on the server developers to opt out. But what if they forget to opt out? That would be bad. It's safer to require everyone to opt _in_. That way, there aren't (as many) careless security vulnerabilities.
--------------------------------------------------------------------------------------------------------------
A description of how CORS works.
Docs (useful): https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Other ways around the same origin policy: http://www.sitepoint.com/working-around-origin-policy/
I also wrote this stupid little blog post about it: https://medium.com/@adamzerner/web-security-a-story-8bba0587b34d
Видео CORS канала Adam Zerner
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
How JavaScript Closures Work
How JavaScript Files Communicate
Introducing Myself
Hash Tables
Y Combinator Application Video
Elementary Logic Gates From NAND
Louis S3E11 Wife Conversation
Skimmable Videos: How to Create a Skim
Data Binding: AngularJS
Overview of how the CPU works
Data Binding: Overview
The What and Why of ngrok
Angular: ngRepeat's track by
The "new" operator in JavaScript
NBA Film Analysis - Thunder vs. Hawks - 12/05/16
Demo of College Inside View
Thunder Bulls - Film Analysis
Visual Lies
Intro to Algorithm Analysis
Premium Poker Tools - Equity calculator guide #3