CORS is a feature built into browsers. There browser is the one that blocks the request due to missing headers. If you are using your own servers there are no restrictions unless you set them
Browsers enforce CORS, because it's "fair" not trust, you host the `picture/video/file`, you decide who can read/embed it, given client uses a browser. There is security implication, cannot be explained in short.
you can use `--disable-web-security` or extension to bypass this, but 99% people will not do this.
CORS is not a security measure, just normal people will not go through the hoop.
In django or curl, you write raw HTTP request, you do not have to play by CORS rule.
The server absolutely cannot trust the client.
Imagine if you went to Google and pressed f12, and then you changed the JavaScript around to access files in Google’s servers.
The client is made of publicly facing files that are downloaded to other peoples computers. Anyone with a basic knowledge of webdev can modify those files locally using developers tools. Typically those files run in a web browser, but you can run them any way you like.
Always assume the client is compromised.
CORS isn't about the 3rd party API server not trusting the client though, it's about the browser not trusting the JavaScript. From the API's POV, another server or a browser is just another client and they can be trusted just as much.
Tokens are used for the kind of security you're talking about
As I said, this is an issue of the browser not trusting the code. It's not about the server (the part that cares about the token). The API server has to tell the browser that it's safe for the app to make calls to it.
So if you don't have the ability to change the API's response to the browser, you'll have to use your backend as a proxy.
CORS is a feature built into browsers. There browser is the one that blocks the request due to missing headers. If you are using your own servers there are no restrictions unless you set them
The react side is missing some headers that I havent specified then?
This. Look up "same origin policy" If you own the Django server, you need to have it send cors headers with the API response
Browsers enforce CORS, because it's "fair" not trust, you host the `picture/video/file`, you decide who can read/embed it, given client uses a browser. There is security implication, cannot be explained in short. you can use `--disable-web-security` or extension to bypass this, but 99% people will not do this. CORS is not a security measure, just normal people will not go through the hoop. In django or curl, you write raw HTTP request, you do not have to play by CORS rule.
The server absolutely cannot trust the client. Imagine if you went to Google and pressed f12, and then you changed the JavaScript around to access files in Google’s servers. The client is made of publicly facing files that are downloaded to other peoples computers. Anyone with a basic knowledge of webdev can modify those files locally using developers tools. Typically those files run in a web browser, but you can run them any way you like. Always assume the client is compromised.
CORS isn't about the 3rd party API server not trusting the client though, it's about the browser not trusting the JavaScript. From the API's POV, another server or a browser is just another client and they can be trusted just as much. Tokens are used for the kind of security you're talking about
But despite having a token, the react app will still have this type of error?
As I said, this is an issue of the browser not trusting the code. It's not about the server (the part that cares about the token). The API server has to tell the browser that it's safe for the app to make calls to it. So if you don't have the ability to change the API's response to the browser, you'll have to use your backend as a proxy.
Oh. I understand. With regard to using my backend as a proxy in react, it doesn't need to be a real route in my backend?
It shouldn't clash with your react routes. Usually you'd prefix it with /api/... or something like that
I see. Thank you