Julia Evanswhat makes CORS hard to use?
Glyph@b0rk silent and confusing failure modes. it's annoying to set up a browser in such a way that you can even see the headers at all, let alone exactly what the browser is parsing, how it's matching, etc. No way to articulate to any debug tool I've ever used, "I expect *this* to work, tell me why it isn't"
@glyph thanks, I thought that the info was always there in the Network tab but I checked and you can't see anything about the OPTIONS request at all
@b0rk I only have to do this once every few years, and I think I manage to dig it out somehow on the client debugging side, but whatever the trick is I always forget, or they change the UI around. (Maybe I'm just misremembering and I dig it out on the server side.) But there is *definitely* no indication of why it did/didn't match if you have some typo in a header value.
@b0rk (Also, speaking of misremembering things, I vaguely recall that there are some reasons why it might not even *send* the preflight at all? Caching, or something? Also extremely hard to figure out, although this might be more of a 'networking' thing than a 'browser' thing)
@b0rk (Also also: very excited to see if you write something about CORS, your style would be EXACTLY what I need every time I bump into this problem again :))
@glyph i wrote about it maybe 6 years ago but I'm thinking of revisiting it
the 6-years-ago comics:
- the same origin policy: https://wizardzines.com/comics/same-origin-policy/
- why we have the same origin policy: https://wizardzines.com/comics/why-same-origin-matters/
- cors: https://wizardzines.com/comics/cors/
