something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"
(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)
@b0rk I also feel like people forget that POST is fine cross-origin. You just can't read the response (beyond status code): https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#simple_requests
(This is why CSRF has been a thing since well before CORS came about)
The rules around cross-origin POSTing are a bit complex / restricted nowadays, but the most common stuff has worked since the very earliest days of HTTP until now.
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
@groxx i find it so hard to remember which POSTs are allowed and which aren't (like an "application/x-www-form-urlencoded" content type is allowed but "application/json" isn't??)
the rules feel arbitrary to me, kind of like they wanted to restrict POSTs more but couldn't because of backwards compatibility
Julia Evans
groxx