72
CORS is Stupid - Kevin Cox
(kevincox.ca)
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Follow the wormhole through a path of communities !webdev@programming.dev
And that assumption is exactly what led us to the current situation.
It doesn't matter, why the present is garbage, it's garbage and we should address that. Statements like this are the engineering equivalent of "it is what it is shrug emoji".
Take a step back and look at the pile of overengineered yet underthought, inefficient, insecure and complicated crap that we call the modern web. And it's not only the browser, but also the backend stack.
Think about how many indirections and half-baked abstraction layers are between your code and what actually gets executed.
No, what I wrote is nothing like that. Please re-read until you understand it better.
Of course it is like that. You're saying that the complaint is wrong because the author doesn't know the history, and now you accuse me of not understanding you, because I pointed this out.
If you have to accuse everyone of "not understanding", maybe you're the one who doesn't understand.
That's not at all what he said. He literally even said "He’s not wrong in principle."
If you don't understand the history of why something is the way it is you can't fix it. You can suggest your new "perfectly secured web site" but if Amazon, Microsoft, Google, Firefox, Apple, etc. don't agree on your new protocol then there's going to be exactly 1 person using it.
See also: Chesterton’s Fence.
I'd not heard of that before, thanks!
I don't think your opinion is grounded on reality. The "it is what it is" actually reflects the facts that there is no way to fix the issue in backwards-compatible ways, and it's unrealistic to believe that vulnerable frameworks/websites/webservices can be updated in a moment's notice, or even at all. This fact is mentioned in the article. Those which can be updated already moved onto a proper authentication scheme. Those who didn't have to continue to work after users upgrade their browser.
A lot of the web used to run on flash. Then apple comes around and says "flash is terrible and insecure". Within a number of years everything moved away from flash, so it's definitely possible to force the web in new directions.
And most old Flash content is basically gone now.
Think about that, and then...what, exactly? As a website author, you don't control the browser. You don't control the web standards.
I'm extremely sympathetic to this way of thinking, because I completely agree. The web is crap, and we shouldn't be complacent about that. But if you are actually in the position of building or maintaining a website (or any other piece of software), then you need to build on what already exists, unless you're in the exceedingly rare position of being able to near-unilaterally make changes to an existing platform (as Google does with Chrome, or Microsoft and Apple do with their OSes) or to throw out a huge amount of standard infrastructure and start as close to "scratch" as possible (e.g. GNU Hurd, Mill Computing, Oxide, Redox OS, etc; note that several of these are hobby projects not yet ready for "serious" use).
Okay, and how would you address it? The limitation is easy to criticize when you can think in a vacuum about it. But in the real world, we'd need to find a way to change things that can actually be implemented by everyone.
Which usually means transformative change.
The problem is fixing it without inadvertently breaking for someone else. Changing the default behavior isn’t easy.
There’s probably some critical systems that relies on old outdated practices because that’s the way it worked when it was written 20 years ago. Why should they go back and fix their code when it has worked perfectly fine for the past two decades?
If you think anything in software has worked "perfectly fine for the past two decades", you're probably not looking closely enough.
I exaggerate, but honestly, not much.
Billions of programs worked perfectly fine today.
Cynicism is easy, but not helpful.
Yes, popular programs behave correctly most of the time.
But "perfectly fine for the last two decades" would imply a far lower rate of CVEs and general reliability than we actually have in modern software.