Every ad GET is doing a lot of things that violate that edict.

Yes, but if ads do it, that would at worst make the ad server vulnerable, not your server.

You apparently understand less than me. The little I do understand is that CORS is protection for a site's user, not the site.

I don't understand it. And I'm a web developer. I don't understand the documentation, I don't understand the problem it's trying to solve and I don't understand how it's going about a solution of any problem. The closest I've come to an understanding is that it's meaningless make-work for a ledger of http calls that are not giving any security.

Back in the day when I started web development, websites making their own requests after they loaded wasn't a thing. Eventually, XMLHttpRequest appeared, which let JS do HTTP requests at (page) runtime, and the whole "AJAX movement" kicked off.

Initially, you could literally hit any website with any sort of request, so your website.com could make requests to bank.com, and the browser happily obliged. Of course, this opens up a whole host of issues, so browsers started limiting websites to just being allowed to make requests to the same Origin. But sometimes we want to be able to make requests from pages to other Origins, so CORS (Cross-Origin Resource Sharing) lets you configure your server to tell browsers that "You're allowed to make requests to me, even if you're on a different origin".

This is basically the simplified version of the why and how behind CORS.

> Initially, you could literally hit any website with any sort of request, so your website.com could make requests to bank.com, and the browser happily obliged. Of course, this opens up a whole host of issues, so browsers started limiting websites to just being allowed to make requests to the same Origin.

I think that’s overstating it a bit. JavaScript was introduced in Netscape 2.0 and the SOP was introduced pretty much straight away – Netscape 2.0.2 I believe. Almost 20 years passed and then CORS was created. So while it’s technically true, the timeframe in which JavaScript could make any cross-origin requests was basically the blink of an eye, and for all intents and purposes, the SOP has been around since the beginning and definitely many, many years before Ajax came around.

Yeah, definitely I was simplifying a lot, borderline misleading perhaps even.

Before XMLHTTPRequest there was also a time we were doing requests via ActiveX as well, but I did it so briefly I barely remember how it worked by now, and I'm 99% sure this was exclusively in IE as well, maybe IE4 or IE5. I'm not sure if the issue mentioned earlier with cross-origin requests may have been exclusive to IE as well, but I think there was a larger window than "blink of an eye" that it was a issue.

But again, this is all long time ago, and it was in the beginning of my career, I might misremember and you may very well be right.

XMLHTTPRequest was originally an ActiveX object (something like ActiveXObject("Microsoft.XMLHTTP")), that’s probably what you are thinking of. You couldn’t make cross-domain requests with it though. Other browsers then implemented XMLHTTPRequest based on the ActiveX object, and then Internet Explorer supported XMLHTTPRequest and dropped ActiveX.

Before that, people who wanted to make cross origin requests sometimes used Flash but I think that always needed a crossdomain.xml file to work. JSONP was also used, which is where you source a <script> from the remote that calls a function in your own context to pass information in. You needed to be a little more careful with that, but only because you were deliberately passing information in; the browser couldn’t read it by itself.

I’m pretty sure the SOP has been effective in all non-Netscape browsers from as soon as they started supporting JavaScript.

Looks like that largely affected things loaded by <script> tags, and either it was opt-in or didn't affect XMLHTTPRequest/fetch. The big change where we had to start dealing with cross-origin security didn't happen until the 2010s with CORS.

CORS isn’t designed to increase security, since the same-origin policy is a secure default.

It’s a mechanism to allow pages to access servers that they can’t by default - with the permission of the server operator.

Yeah, basically Same-Origin Policy (https://en.wikipedia.org/wiki/Same-origin_policy) was the part that increased security, as it prevented websites (in browsers) from making arbitrary requests to arbitrary 3rd party websites.

Cross-Origin Resource Sharing (https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) is one way to relax the Same-Origin Policy, so you essentially whitelist what actually can be shared across Origins. To be used when the default Same-Origin Policy is too strict.

Overall I think it's a really simple concept, but libraries/frameworks/docs seems to constantly over-complicate it with their explanations.

But the combination of the two reduces security in the same manner as absurd password requirements cause people to write down their passwords.

A strong security measure without a reliable way to do the things you want to do induces people to bypass the security altogether.

Security designers generally are ok with this because they consider usability or user behaviour to be not their responsibility.

If you're hosting some 3rd party api that's safe to call client side then you send some header that says so. The problem is when it's not safe and devs try to bypass (a reliable way to do the things they want).

The solution is to convince devs to not want to do those things.

CORS allows JavaScript to make requests to different domains than the origin of the page. By default (without CORS), JavaScript can only communicate with the origin domain.

I've had my hair on fire because my app code shit the bed. I've never ever (throughout 15 years of using it in everything I do) had to even think about Postgres, and yes, I always set it up self-hosted. The only concern I've had is when I had to do migrations where I had to upgrade PG to fit with upgrades in the ORM database layer. Made for some interesting stepping-stone upgrades once in a while but mostly just careful sysadmining.

Hard scifi that goes from 1997 to beyond the heat death of the universe.

Given that you want to solve problems with a computer, what is the alternative to code?

Why do you want to use a computer? When I hang pictures I have never once thought “I want to use a hammer”

That is almost never truly a given. And even if it is, how you use the computer can be more important than the code.

And if you already have some code, simplifying it is also an option.

Restating the context as one where the problem doesn't exist.

Any fool can write code.

If there isn't one, then as little code as possible.

Same as it ever was.

Their trackrecord is such that if I got a similar call my first question when possible would be how I was being reimbursed. They are welcome to fork anything of mine if they observe the license attached. I will take a look at any PR. I will NOT spend time explaining anything to their engineers unless reimbursed at my regular rates.

I hope by regular rates you mean your Enterprise rate that is 10-50x your regular rate. :)

Backblaze can lose 3/20 hard drives and still recover the data from parity drives. They don't have to rely on recovering it from non-operative drives unless they become unbelievably unlucky.

I had an insight when learning about the Halting Problem. There is a class of programs for which the Halting Problem is solvable since you can use circuit analysis to see if well-formed loops halt. We should strive to write programs in that class since then we know that the execution, long as it may be, will yield a result.

I found after starting to apply mise en place that when I wasn't doing it I was still quicker than before. I fetched more things from each cupboard or fridge when I opened them, even if I wasn't measuring out the item into a container beforehand.