CORS
UPDATE: Since making the video, I've learned two important things that I didn't mention/emphasize in the video:
1. The point of the same origin policy is NOT to prevent you from _making_ requests. It's to prevent you from _reading the responses_. It sucks, but unfortunately, cross origin requests are possible regardless of whether or not we limit XMLHttpRequest (see http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf). The request part of the attack is called Cross Site Request Forgery, and to guard against that, we use authenticity tokens. The part where you read the response and access that private information is what the same origin policy guards against.
2. Why require preflights? Why not just have the server parse incoming requests, and decide whether or not the requester is authorized? Requiring a preflight leads to an extra round trip, and is slow, right? Well, we could put the burden on the server developers to opt out. But what if they forget to opt out? That would be bad. It's safer to require everyone to opt _in_. That way, there aren't (as many) careless security vulnerabilities.
--------------------------------------------------------------------------------------------------------------
A description of how CORS works.
Docs (useful): https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Other ways around the same origin policy: http://www.sitepoint.com/working-around-origin-policy/
I also wrote this stupid little blog post about it: https://medium.com/@adamzerner/web-security-a-story-8bba0587b34d
Видео CORS канала Adam Zerner
1. The point of the same origin policy is NOT to prevent you from _making_ requests. It's to prevent you from _reading the responses_. It sucks, but unfortunately, cross origin requests are possible regardless of whether or not we limit XMLHttpRequest (see http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf). The request part of the attack is called Cross Site Request Forgery, and to guard against that, we use authenticity tokens. The part where you read the response and access that private information is what the same origin policy guards against.
2. Why require preflights? Why not just have the server parse incoming requests, and decide whether or not the requester is authorized? Requiring a preflight leads to an extra round trip, and is slow, right? Well, we could put the burden on the server developers to opt out. But what if they forget to opt out? That would be bad. It's safer to require everyone to opt _in_. That way, there aren't (as many) careless security vulnerabilities.
--------------------------------------------------------------------------------------------------------------
A description of how CORS works.
Docs (useful): https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Other ways around the same origin policy: http://www.sitepoint.com/working-around-origin-policy/
I also wrote this stupid little blog post about it: https://medium.com/@adamzerner/web-security-a-story-8bba0587b34d
Видео CORS канала Adam Zerner
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
How JavaScript Closures WorkHow JavaScript Files CommunicateIntroducing MyselfHash TablesY Combinator Application VideoElementary Logic Gates From NANDLouis S3E11 Wife ConversationSkimmable Videos: How to Create a SkimData Binding: AngularJSOverview of how the CPU worksData Binding: OverviewThe What and Why of ngrokAngular: ngRepeat's track byThe "new" operator in JavaScriptNBA Film Analysis - Thunder vs. Hawks - 12/05/16Demo of College Inside ViewThunder Bulls - Film AnalysisVisual LiesIntro to Algorithm AnalysisPremium Poker Tools - Equity calculator guide #3