"Note that CORS preflight requests are not made for GET HEAD POST requests with default headers."
What are these "default" headers. I have seen access-control-allow- response headers when making HTTP requests. I do not send unnecessary headers. Perhaps some of the ones I do not send are considered "default".
"Thus CORS is a way of selectively loosening security not of tightening it."
Proxy config I use scrubs all CORS headers. As the author states, CORS is irrelevant outside the browser. I make most HTTP requests outside the ("modern") browser anyway.
"Overall, as the web grows in terms of features and complexity, the attack surface also grows correspondingly large."
Job security for some people, I guess.
Apparently there is no sufficient incentive to simplify things (by subtraction not addition).
What are these "default" headers. I have seen access-control-allow- response headers when making HTTP requests. I do not send unnecessary headers. Perhaps some of the ones I do not send are considered "default".
"Thus CORS is a way of selectively loosening security not of tightening it."
Proxy config I use scrubs all CORS headers. As the author states, CORS is irrelevant outside the browser. I make most HTTP requests outside the ("modern") browser anyway.
"Overall, as the web grows in terms of features and complexity, the attack surface also grows correspondingly large."
Job security for some people, I guess.
Apparently there is no sufficient incentive to simplify things (by subtraction not addition).