8

We are integrating two systems in an intranet, using CORS as a means of making AJAX calls across the two domains.

Is this considered bad practice? Is CORS in general considered bad practice?

SStBC
  • 139
  • 3
  • 6
  • 1
    If it was, the W3C wouldn't have bothered writing a spec for it :) www.w3.org/TR/cors/‎ CORS solves a real need where we need two disparate websites to communicate with each other. We typically use JSONP these days, but that's a real hack. Once CORS is well supported, it will be the standard. Just use it wisely! – Mister Epic Nov 23 '13 at 15:35
  • I would not say it is bad practice. It can be tricky to get it to work correctly with every browser though. – aet Nov 23 '13 at 15:36
  • 1
    @MisterEpic, The rationale is wrong. Flash has a spec too but is bad practice. Java has a spec too but is bad practice. About *everything* has a spec. Has spec does not automatically mean not bad practice. – Pacerier Jan 26 '16 at 19:32

3 Answers3

13

CORS isn’t bad practice. It is supported on all major browsers, and more and more APIs are supporting it. In fact, if you have a public resource that is not behind a firewall, it is safe to put the Access-Control-Allow-Origin: * header on the resource.

But there is some confusion over the role of CORS on a server. CORS should only dictate the cross-origin policy for a particular resource. In other words, the CORS headers are only meant to indicate whether requests from different origins are allowed. I think the confusion comes in because servers sometimes use CORS to dictate security policy as well. CORS is not security. If servers have resources that need to be protected from certain users, it is not safe to rely solely on the Origin header to enforce this. Your server needs some other mechanism for security (such as OAuth2 and CSRF protection).

monsur
  • 45,581
  • 16
  • 101
  • 95
  • 10
    CORS **is** about security, but not for the benefit of the server; it's for the benefit of its users/clients. – Pacerier Jan 26 '16 at 19:34
3

No, CORS is not considered bad practice. It's the standard way to do cross domain AJAX calls (for browsers that support it). Bear in mind though that currently, depending on your exact requirements, there could be lots of pitfalls to make it work cross browser. For example if you want to be able to set cross domain cookies be prepared to suffer with Internet explorer.

So basically, if you can make CORS work for your needs, go ahead and use it.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
0

Threre is some latency overhead caused by CORS preflight requests. More here

FunctorPrototype
  • 1,173
  • 2
  • 12
  • 24