{"body":"diddledan [1:28 PM] CORS is killing me :disappointed:\n[1:29] why would a public resource on third-party site ever be able to tell me I'm not allowed to read it in the browser on the premise that I'm gonna shoot my own foot off?\n[1:30] specifically I am trying to read some html on a public page on a third-party site to scrape a URL from it. but fetch says I'm not allowed to do that because the third party says CORS is not allowed\n[1:30] </rant>\ndracco [1:32 PM] @diddledan some external resources might contain malicious code, you dont want that on your site do you?\n[1:33] thats the reason for CORS to block connections\ndiddledan [1:33 PM] but those external resources will surely know they're serving bad stuff so set the CORS header to allow it in my site\ndracco [1:34 PM] well the other direction is protecting others properties :stuck_out_tongue:\ndiddledan [1:34 PM] I don't understand why <bad person> running <bad server> would not set a cors header to allow <good site> to embed <bad code>\ndracco [1:34 PM] well as a <good person> i might not want some <other good person> to use <my code> wrote just for <myself> :stuck_out_tongue:\ndiddledan [1:35 PM] how does cors prevent that?\n[1:35] if they really want it they'll do it anyway\ndracco [1:35 PM] how would you download my script without me enabling cors?\ndiddledan [1:36 PM] curl http://yourserver.example.com/script.js -o my-site/stolen-script.js\ndracco [1:36 PM] from the website\n[1:36] on your website\ndancotton [1:37 PM] I’d stick a proxy in the middle that requests the file & streams it back but with a CORS header - but that’s going a bit far :joy:\n[1:37] I think it’s more a deterrent than anything else\ndracco [1:37 PM] if i dont enable cors, proxy wont fetch it too\ndiddledan [1:37 PM] @dancotton exactly my point. if you can proxy it then there is no protection from cors\ndancotton [1:38 PM] it would if it’s server->server - unless you manually do a hard check on the req origin\ndracco [1:38 PM] unless proxy will run curl (or other wget) and send it via http:80\ndiddledan [1:38 PM] but I think it's crazy stupid to have to set up a nodejs server just to access a resource that I should be able to access anyway\ndracco [1:39 PM] but still, if a thief can break into your house, why would you lock the door anyway?\n[1:39] thief can break in anyway, so why bother :stuck_out_tongue:?\n[1:39] same principle here\n[1:40] the fact that its still possible doesnt mean it should be easy\ndiddledan [1:40 PM] it's a protection for a non-problem. site-a wants access to site-b, but cors on site-b says no, so I set up a nodejs and access it anyway at the expense of having to maintain a server that shouldn't be needed!\ndracco [1:40 PM] if site-b does NOT want you to use their script, you should have all the additional expenses (both in money and time) to get that script\n[1:41] if site-b wants you to get the script, it will just unlock CORS\n[1:41] not everybody can setup the node server\ndiddledan [1:41 PM] but why would site-b want me to not touch their html that they make publicly available?\ndracco [1:42 PM] so you dont \"just\" use it? its like with photos and watermarks\ndiddledan [1:42 PM] it's effectively a DRM that doesn't encrypt anything, AND gives you the keys in case they do encrypt it\ndracco [1:42 PM] if i make a script that is \"super-awesome\" and does \"x-y-z\", i want to make it as hard as possible for others to use it without my permission\n[1:43] you can surely download it and use it, but at least you wont use my bandwidth\n[1:43] or would you like to host some files for me for free? and always keep it up to date?\ndiddledan [1:43 PM] yes, but you're talking about using javascript. I purely want to read some html that is public and wants the public to read it\ndracco [1:44 PM] yea, then put a link to their website\ndiddledan [1:44 PM] how is cors helping here?\ndracco [1:44 PM] ads?\n[1:44] if u just download the contents, the site just list a visitor\n[1:44] means lower revenue and less people will know about that site\ndiddledan [1:46 PM] but if I'm gonna do it anyway only via a server how is cors helping?\ndracco [1:46 PM] it makes it harder\n[1:46] its like a locked door\n[1:46] you can still break in, pick a lock, but its harder\n[1:46] prevents at least some attempts to steal the contents\ndiddledan [1:46 PM] but the resource is public. I'm not breaking anything by accessing it\ndracco [1:46 PM] public for visitors (edited)\noskar_matpriskollen [1:47 PM] The browser doesn't know if a resource is public or not\ndiddledan [1:47 PM] @oskar_matpriskollen yes it does. if it can read it then it is public\ndracco [1:47 PM] what about revenue?\n[1:47] will your site also click ads and links?\ndiddledan [1:47 PM] if it has to provide credentials in some form then it isn't public\ndracco [1:47 PM] and bring revenue to the site-b?\noskar_matpriskollen [1:48 PM] The server can read the request's cookies or IP address and present secret content for people who have logged into their site\ndracco [1:48 PM] ok, example: ive got a website with hot news, its all free for public, but i have to pay for the server etc so i put ads on it\ndiddledan [1:48 PM] cors isn't about revenue - it is meant to be a protection from xss that is still gonna happen just as much\ndracco [1:48 PM] so now visitor enters, maybe clicks some ads -> money for me\n[1:48] your scripts gets the content -> no money for me\n[1:48] now calculate\n[1:49] is the \"public content\" free if site has ads?\n[1:49] no, so you are getting non-free content\n[1:49] without paying \"by seeing ads\"\ndiddledan [1:50 PM] so put it behind an authorisation mecahnism, @dracco . cors is not authorisation it is protection against xss. it does not protect against the xss it supposedly is meant for\noskar_matpriskollen [1:50 PM] It does prevent cross-site... reading. For example if the HTML at website.com/mysettings contains user contact information.\ndracco [1:51 PM] authentication? have you ever seen a newspaper site with auth xD?\n[1:51] correction: which requires to log in to read anything\ndiddledan [1:54 PM] just because <site> doesn't do authorisation means that the content is freely available. you can't close the stable door after the horse has bolted to prevent the horse bolting\n[1:54] if you don't want your content to be available. then don't make it available.\ndracco [1:54 PM] no it doesnt, it means site makes money from people that visit the site\n[1:54] do you know what are ads?\ndiddledan [1:54 PM] yes I know fully well what ads are.\ndracco [1:55 PM] some sites might make money from ads\n[1:55] if you fetch the content they make no money\ndiddledan [1:56 PM] yes. they \"make money\" from ads. You seem to be under the impression that adverts imply that content alongside an advert is somehow privileged\ndracco [1:56 PM] not privileged, just its not free\n[1:57] ive worked in a publishing sector, i know very well how it works and trust me, no publisher would like their content to be just taken without triggering ads\ndiddledan [1:58 PM] then those publishers must enforce advert views by requiring login\n[1:58] cors is not about ensuring advertising revenue at all\ndracco [1:58 PM] login means \"hey visitor, get out of my site\"\n[1:58] so no money\n[1:58] cors is about securing both sides\n[1:59] if people would be forced to log in to read something, they wouldnt, even waiting for too long to read something makes them leave the site and not come back\n[1:59] and you want them to spend like extra 2 minutes just to read a single article?","name":"","extension":"txt","url":"https://www.irccloud.com/pastebin/nN0r81uD","modified":1496323579,"id":"nN0r81uD","size":7505,"lines":86,"own_paste":false,"theme":"","date":1496323579}