#cors — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cors, aggregated by home.social.
-
4 Tiny Mistakes That Secretly Destroy App Performance, by (not on Mastodon or Bluesky):
#performance #webapps #mistakes #cors #codesplitting #dependencies #backgrounds #images
-
4 Tiny Mistakes That Secretly Destroy App Performance, by (not on Mastodon or Bluesky):
#performance #webapps #mistakes #cors #codesplitting #dependencies #backgrounds #images
-
4 Tiny Mistakes That Secretly Destroy App Performance, by (not on Mastodon or Bluesky):
#performance #webapps #mistakes #cors #codesplitting #dependencies #backgrounds #images
-
4 Tiny Mistakes That Secretly Destroy App Performance, by (not on Mastodon or Bluesky):
#performance #webapps #mistakes #cors #codesplitting #dependencies #backgrounds #images
-
4 Tiny Mistakes That Secretly Destroy App Performance, by (not on Mastodon or Bluesky):
#performance #webapps #mistakes #cors #codesplitting #dependencies #backgrounds #images
-
CW: Article: Moving a static site from GitHub to Codeberg Pages
I was recently reminded that I wanted to try out Codeberg Pages, so I migrated a static site over from GitHub Pages. It mostly worked, and a learned a little along the way about how Codeberg Pages works.
Read more: https://danq.me/2026/05/04/github-to-codeberg-pages/ -
I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.
I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.
But the 🧑🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.
Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?
[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.
#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt
-
I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.
I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.
But the 🧑🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.
Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?
[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.
#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt
-
I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.
I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.
But the 🧑🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.
Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?
[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.
#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt
-
I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.
I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.
But the 🧑🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.
Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?
[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.
#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt
-
I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.
I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.
But the 🧑🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.
Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?
[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.
#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt
-
One Open-source Project Daily
CORS Anywhere is a NodeJS reverse proxy which adds CORS headers to the proxied request.
https://github.com/Rob--W/cors-anywhere
#1ospd #opensource #cors #nodejs -
[DEV_LOG] PHASE 1.7.5.b: CORE_LOGIC_ERROR
Mid-week update: It’s worse than it looks. A cascade of ReferenceErrors and TypeErrors is hitting the original build.
Diagnosis: Identified a failed "Lazy Import" implementation. The browser is triggering a terminal CORS failure on load. Manifest loading is blocked. PWA/Offline capabilities are dark.
We are sitting with the wreckage for now.
-
I think I just managed to make my Object Storage (#s3 compatible) work on my #peertube
First, it took 2 weeks because I got a bug with #ovhcloud where they wouldn't deliver the product.
When I got it set up, it was quite straight forward. Just copy/paste all the infos and keys into the peertube config file.
My only struggle was realizing that I had to apply some #cors settings to my bucket.
Other than that, #yunohost makes selfhosting quite easy.
The next step will be to migrate my videos to the instance.
https://social.fraxoweb.com/@frank/statuses/01KG8DX3X7815RFAS3A4ZMV54C -
Ooooh, fcuk, it is even worse. I do a JavaScript fetch request. Internally it notices that it needs to do its CORS OPTIONS magic first. That one fails with a 404, as the developer tools show. But the fetch request itself fails. No, it does not come back with a 404 response. It just fails the fetch with
TypeError: Failed to fetch
This even though the OPTIONS response says
Access-Control-Allow-Origin *
beside the 404. This is baaaad!
-
Fun with #CORS.
Many web devs come across CORS eventually, first reaction being WTF. Then see Stackoverflow or a chatty text randomizer to find.
The server response lacks the Access-Control-Allow-Origin header
which is confusing, as you're dealing with two servers at this point.
I thought to understand it, but debugged an hour to find that an OPTIONS request for .../blabla does not follow the redirect to .../blabla/ (in Firefox at least) .😠
-
For schedules that block cross-origin access in the browser (e.g. #FOSDEM), there's now a small companion project: the Skedz CORS Proxy. A simple proxy with a domain whitelist, easy to self-host or run locally.
Public instance: https://cors.skedz.org
Example: https://cors.skedz.org/https://fosdem.org/2026/schedule/xml
Source (AGPLv3): https://github.com/ysorge/skedz-cors-proxy -
Question for nerds and video watchers: are the closed captions available in this (you may have to enable them)?
https://m.earth.org.uk/smart-radiator-valves-talk-20201112.html
-
Un article un peu ancien(2021) mais qui explique le principe du CORS qui rend fou de nombreux développeurs.
C'est un concept que je conseille à tous les dev web de maîtriser sur le bout des doigts histoire d'éviter de futures prises de tête.
-
Quick question for the #web #security people here:
If a local device in your network has an API endpoint that may leak your location but has no CORS headers set, who would be able to get that data?
My understanding is that it is not possible to get that data from another webpage (at least when a somewhat modern browser is used) but if say somebody queried that from an app you installed on your phone they could read it?
#CORS -
🎵
Hello, CORSness, my old friend
I've come to talk with you againAs I've experienced repeatedly for years, #CORS (#CrossOriginResourceSharing) is notoriously difficult to understand, reason about and implement. So I should not be surprised to find a problem in #Quarkus related to it, and that it has gone unnoticed for years. #Sigh
I hope the bug report I wrote is clear and actionable: https://github.com/quarkusio/quarkus/issues/51541
I'd like to migrate @ChronoLink to Quarkus, but this bug is a showstopper for that: the obvious workaround - opening up POST/PUT/DELETE to CORS - feels risky.
Speaking of risk: this being a hobby project means there is a real risk I won't find the time or energy to write the reproducer the Quarkus team rightly asks for. Oh well...
-
An interesting #infosec case study from running #Akkoma Fediverse server with #Minio as S3-compatible object storage - during routine Minio maintenance I’ve spotted suspicious files in the S3 bucket used specifically to host Akkoma media uploads.
All of the JSONs looked like typical vulnerability discovery markers, e.g. they contained structures like
{"id":"insecure-firebase-database"}.The root cause was that the
akkoma-mediabucket had the public access policy set for read and write operations:# minio-client anonymous list pandora/akkoma-media akkoma-media/* => readwriteThe fix seems to be to set the public bucket policy to
readonly(downloadin Minio client command line)# minio-client anonymous set download pandora/akkoma-media Access permission for `pandora/akkoma-media` is set to `download`This does not impact the authenticated access policy settings for the bucket which allows Akkoma to write media into the bucket.
I must admit the Minio documentation is a bit confusing on that aspect which contributed to my misunderstanding of these settings. In addition, the
minio-client policywas now replaced byminio-client anonoymous.Additional protection can be provided by setting #CORS restrictions on the Minio bucket, that is only allowing specific origins (domains) to render the content from these buckets. That’s done using
MINIO_API_CORS_ALLOW_ORIGINenvironment variable orminio-client corscommand line. Note this will only prevent using the uploaded files in a specific class of attacks on third-party clients that rely on these files being properly rendered as part of exploit HTML, but it will not prevent their upload/download to the vulnerable bucket, for use e.g. as exploit binaries. -
Преобразование статических сайтов в динамические с использованием API
Данное руководство от разработчиков компании DST Global, раскрывает принципы трансформации статичных веб-ресурсов в интерактивные динамические платформы исключительно посредством использования API...
#DST #DSTGlobal #ДСТ #ДСТГлобал #статическийсайт #динамическийсайт #API #JavaScript #SSG #HTML #SSR #JSON #рендеринг #CDN #REST #GraphQL #HeadlessCMS #CORS #SLA #SEO #CMS #сайт #вебсайт
-
Хватит бороться с ошибками CORS: разберемся, как они работают раз и навсегда
Вы когда-нибудь видели в консоли сообщение вроде: «Access to fetch at '…' from origin '…' has been blocked by CORS policy»? Это как в том фильме: «Суслика видишь? — А он есть». CORS не бросается в глаза, пока все работает, но в нужный момент пресекает недопустимые действия. Например, чтение ответа на кросс-запрос без разрешения сервера. Меня зовут Баир, я разработчик в команде fuse8. В этой статье я отвечу на вопросы о том, зачем была создана CORS политика, как она устроена под капотом, почему простого действия типа «поставить заголовок на бэке» может быть мало, и какие безопасные паттерны стоит выбирать во фронтенде.
-
CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):
-
CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):
-
CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):
-
CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):
-
CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):
-
🌐 Network and console error diagnosis - analyze network requests for #CORS issues and inspect console logs to understand feature failures
🎯 User behavior simulation - navigate pages, fill forms, click buttons to reproduce bugs and test complex user flows while inspecting runtime environment
🎨 Live styling and layout debugging - connect to live pages, inspect #DOM and #CSS for concrete suggestions on complex layout problems like overflowing elements
-
As #Invidious and piped.video are not to be used by third parties (for good and understandable reasons) and for those who can't or don't want to self-host, is there still a #privacy-preserving non-#CORS #YouTube proxy REST API out there somewhere?
#FollowerPower #privacyMatters #MyPrivacyisNoneOfYourBusiness #SurveillanceCapitalism #dataCapitalism #platformCapitalism #digitalFeudalism #GDPR #predatoryCapitalism #privacyPreserving #privacyFriendly #privacyRespecting #digitalSelfDefense
-
As #Invidious and piped.video are not to be used by third parties (for good and understandable reasons) and for those who can't or don't want to self-host, is there still a #privacy-preserving non-#CORS #YouTube proxy REST API out there somewhere?
#FollowerPower #privacyMatters #MyPrivacyisNoneOfYourBusiness #SurveillanceCapitalism #dataCapitalism #platformCapitalism #digitalFeudalism #GDPR #predatoryCapitalism #privacyPreserving #privacyFriendly #privacyRespecting #digitalSelfDefense
-
As #Invidious and piped.video are not to be used by third parties (for good and understandable reasons) and for those who can't or don't want to self-host, is there still a #privacy-preserving non-#CORS #YouTube proxy REST API out there somewhere?
#FollowerPower #privacyMatters #MyPrivacyisNoneOfYourBusiness #SurveillanceCapitalism #dataCapitalism #platformCapitalism #digitalFeudalism #GDPR #predatoryCapitalism #privacyPreserving #privacyFriendly #privacyRespecting #digitalSelfDefense
-
As #Invidious and piped.video are not to be used by third parties (for good and understandable reasons) and for those who can't or don't want to self-host, is there still a #privacy-preserving non-#CORS #YouTube proxy REST API out there somewhere?
#FollowerPower #privacyMatters #MyPrivacyisNoneOfYourBusiness #SurveillanceCapitalism #dataCapitalism #platformCapitalism #digitalFeudalism #GDPR #predatoryCapitalism #privacyPreserving #privacyFriendly #privacyRespecting #digitalSelfDefense
-
As #Invidious and piped.video are not to be used by third parties (for good and understandable reasons) and for those who can't or don't want to self-host, is there still a #privacy-preserving non-#CORS #YouTube proxy REST API out there somewhere?
#FollowerPower #privacyMatters #MyPrivacyisNoneOfYourBusiness #SurveillanceCapitalism #dataCapitalism #platformCapitalism #digitalFeudalism #GDPR #predatoryCapitalism #privacyPreserving #privacyFriendly #privacyRespecting #digitalSelfDefense
-
CORS для собеседований и работы
Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' https://api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.
-
CORS для собеседований и работы
Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' https://api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.
-
CORS для собеседований и работы
Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' https://api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.
-
CORS для собеседований и работы
Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' https://api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.
-
Amazon Cognitoを使った認証付きファイルアップロード機能の実装をやってみた
https://dev.classmethod.jp/articles/aws-cognito-user-id-pool-s3-upload-app/ -
https://dev.to/marsou001/what-are-preflight-requests-and-why-they-matter-3h5i - when you do #CORS, the pre-flight request is crucial. Thanks for the deep dive https://www.linkedin.com/in/marouane-souda.
-
I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.
-
I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.
-
I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.
-
I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.
-
Ich hab sogar versucht mit Hilfe der KI einen Proxy in Python zu schreiben, der via Virtual Directory aus #Zoraxy heraus aufgerufen wird. Der löst zwar das #CORS Problem, zerstört aber dafür die #WebSockets von #Immich. 🙄 Falls sich jemand daran versuchen will: https://github.com/keineantwort/immich-cors-proxy
-
Ich hab sogar versucht mit Hilfe der KI einen Proxy in Python zu schreiben, der via Virtual Directory aus #Zoraxy heraus aufgerufen wird. Der löst zwar das #CORS Problem, zerstört aber dafür die #WebSockets von #Immich. 🙄 Falls sich jemand daran versuchen will: https://github.com/keineantwort/immich-cors-proxy
-
Ich hab sogar versucht mit Hilfe der KI einen Proxy in Python zu schreiben, der via Virtual Directory aus #Zoraxy heraus aufgerufen wird. Der löst zwar das #CORS Problem, zerstört aber dafür die #WebSockets von #Immich. 🙄 Falls sich jemand daran versuchen will: https://github.com/keineantwort/immich-cors-proxy