How does CORS plugin / --disable-web-security work on browser?

Question

I'm sure I'm not the only one who have used/uses CORS plugins for browsers or --disable-web-security flag while making API calls to external (or even internal) API endpoints. I used this plugin to make Google Maps related API calls. But within the same application, ParseSDK API calls needed no CORS or --disable-web-security flag.

My question is : Why are these endpoints acting differently and how does CORS plugin solve the problem (even though we don't have control over those APIs)?

Thanks in advance.

Answer 1

Well, what that plugin does is highly irresponsible; It actually disables the same origin policy, which enforces that a website on a specific origin can only make requests to that origin.

The same origin policy actually just prevents a website from reading the response of a GET/POST request, the request itself is made, because it's considered safe.

Over time this good security feature became a burden and people used workarounds like JSONP.

So we got a new, standardized way to access foreign origins:

CORS (Cross-Origin Resource Sharing) is a mechanism that allows a web server to specify that another origin is allowed to access its content. This is done with Access-Control-Allow-Origin: example.com which allows example.com to access the response even if the response is from a different origin.

The Access-Control-Allow-Credentials: true would also allow the credentials, which includes cookies and HTTP Basic authentication to be sent within the request.

You can also specify a wildcard for Access-Control-Allow-Origin: *, which allows all websites to access this response. However when you do this you have to specify Access-Control-Allow-Credentials: false, so no credentials are exposed.

This is the only correct way to implement a public accessible AJAX API in the internet.

However this plugin just simply disables the same origin policy completely which is extremely dangerous.

Answer 2

The link you posted (did you read the description?) specifies exactly what the extension does - it adds the Access-Control-Allow-Origin: * header to all responses. This is a CORS header that normally the server sends to notify the browser that you are allowed to make requests from arbitrary origins.

Parse SDK probably supports CORS on their server end.

Just for your information, when most people say CORS they are not referring to a browser extension. They're referring to the web standard called CORS. Documentation below.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS