# Pastebin nN0r81uD diddledan [1:28 PM] CORS is killing me :disappointed: [1:29] why would a public resource on third-party site ever be able to tell me I'm not allowed to read it in the browser on the premise that I'm gonna shoot my own foot off? [1:30] specifically I am trying to read some html on a public page on a third-party site to scrape a URL from it. but fetch says I'm not allowed to do that because the third party says CORS is not allowed [1:30] dracco [1:32 PM] @diddledan some external resources might contain malicious code, you dont want that on your site do you? [1:33] thats the reason for CORS to block connections diddledan [1:33 PM] but those external resources will surely know they're serving bad stuff so set the CORS header to allow it in my site dracco [1:34 PM] well the other direction is protecting others properties :stuck_out_tongue: diddledan [1:34 PM] I don't understand why running would not set a cors header to allow to embed dracco [1:34 PM] well as a i might not want some to use wrote just for :stuck_out_tongue: diddledan [1:35 PM] how does cors prevent that? [1:35] if they really want it they'll do it anyway dracco [1:35 PM] how would you download my script without me enabling cors? diddledan [1:36 PM] curl http://yourserver.example.com/script.js -o my-site/stolen-script.js dracco [1:36 PM] from the website [1:36] on your website dancotton [1:37 PM] I’d stick a proxy in the middle that requests the file & streams it back but with a CORS header - but that’s going a bit far :joy: [1:37] I think it’s more a deterrent than anything else dracco [1:37 PM] if i dont enable cors, proxy wont fetch it too diddledan [1:37 PM] @dancotton exactly my point. if you can proxy it then there is no protection from cors dancotton [1:38 PM] it would if it’s server->server - unless you manually do a hard check on the req origin dracco [1:38 PM] unless proxy will run curl (or other wget) and send it via http:80 diddledan [1:38 PM] but I think it's crazy stupid to have to set up a nodejs server just to access a resource that I should be able to access anyway dracco [1:39 PM] but still, if a thief can break into your house, why would you lock the door anyway? [1:39] thief can break in anyway, so why bother :stuck_out_tongue:? [1:39] same principle here [1:40] the fact that its still possible doesnt mean it should be easy diddledan [1:40 PM] it's a protection for a non-problem. site-a wants access to site-b, but cors on site-b says no, so I set up a nodejs and access it anyway at the expense of having to maintain a server that shouldn't be needed! dracco [1:40 PM] if site-b does NOT want you to use their script, you should have all the additional expenses (both in money and time) to get that script [1:41] if site-b wants you to get the script, it will just unlock CORS [1:41] not everybody can setup the node server diddledan [1:41 PM] but why would site-b want me to not touch their html that they make publicly available? dracco [1:42 PM] so you dont "just" use it? its like with photos and watermarks diddledan [1:42 PM] it's effectively a DRM that doesn't encrypt anything, AND gives you the keys in case they do encrypt it dracco [1:42 PM] if i make a script that is "super-awesome" and does "x-y-z", i want to make it as hard as possible for others to use it without my permission [1:43] you can surely download it and use it, but at least you wont use my bandwidth [1:43] or would you like to host some files for me for free? and always keep it up to date? diddledan [1:43 PM] yes, but you're talking about using javascript. I purely want to read some html that is public and wants the public to read it dracco [1:44 PM] yea, then put a link to their website diddledan [1:44 PM] how is cors helping here? dracco [1:44 PM] ads? [1:44] if u just download the contents, the site just list a visitor [1:44] means lower revenue and less people will know about that site diddledan [1:46 PM] but if I'm gonna do it anyway only via a server how is cors helping? dracco [1:46 PM] it makes it harder [1:46] its like a locked door [1:46] you can still break in, pick a lock, but its harder [1:46] prevents at least some attempts to steal the contents diddledan [1:46 PM] but the resource is public. I'm not breaking anything by accessing it dracco [1:46 PM] public for visitors (edited) oskar_matpriskollen [1:47 PM] The browser doesn't know if a resource is public or not diddledan [1:47 PM] @oskar_matpriskollen yes it does. if it can read it then it is public dracco [1:47 PM] what about revenue? [1:47] will your site also click ads and links? diddledan [1:47 PM] if it has to provide credentials in some form then it isn't public dracco [1:47 PM] and bring revenue to the site-b? oskar_matpriskollen [1:48 PM] The server can read the request's cookies or IP address and present secret content for people who have logged into their site dracco [1:48 PM] ok, example: ive got a website with hot news, its all free for public, but i have to pay for the server etc so i put ads on it diddledan [1:48 PM] cors isn't about revenue - it is meant to be a protection from xss that is still gonna happen just as much dracco [1:48 PM] so now visitor enters, maybe clicks some ads -> money for me [1:48] your scripts gets the content -> no money for me [1:48] now calculate [1:49] is the "public content" free if site has ads? [1:49] no, so you are getting non-free content [1:49] without paying "by seeing ads" diddledan [1:50 PM] so put it behind an authorisation mecahnism, @dracco . cors is not authorisation it is protection against xss. it does not protect against the xss it supposedly is meant for oskar_matpriskollen [1:50 PM] It does prevent cross-site... reading. For example if the HTML at website.com/mysettings contains user contact information. dracco [1:51 PM] authentication? have you ever seen a newspaper site with auth xD? [1:51] correction: which requires to log in to read anything diddledan [1:54 PM] just because doesn't do authorisation means that the content is freely available. you can't close the stable door after the horse has bolted to prevent the horse bolting [1:54] if you don't want your content to be available. then don't make it available. dracco [1:54 PM] no it doesnt, it means site makes money from people that visit the site [1:54] do you know what are ads? diddledan [1:54 PM] yes I know fully well what ads are. dracco [1:55 PM] some sites might make money from ads [1:55] if you fetch the content they make no money diddledan [1:56 PM] yes. they "make money" from ads. You seem to be under the impression that adverts imply that content alongside an advert is somehow privileged dracco [1:56 PM] not privileged, just its not free [1:57] ive worked in a publishing sector, i know very well how it works and trust me, no publisher would like their content to be just taken without triggering ads diddledan [1:58 PM] then those publishers must enforce advert views by requiring login [1:58] cors is not about ensuring advertising revenue at all dracco [1:58 PM] login means "hey visitor, get out of my site" [1:58] so no money [1:58] cors is about securing both sides [1:59] if people would be forced to log in to read something, they wouldnt, even waiting for too long to read something makes them leave the site and not come back [1:59] and you want them to spend like extra 2 minutes just to read a single article?