Cross-origin resource sharing (CORS)

CORS works with HTTP headers sent by servers at the top level navigation. it is poorly understood by developers and often badly implemented. A browser may block requests going to a.com if they are initiated by b.com or any origin not whitelisted by the Access-Control-Allow-Origin header.

Dappy browser sets a Origin header on each requests coming from a tab, the server can easily know which website the client was visiting when the request was sent. Restricted actions that require an authentication must be authorized through cookies, headers or the body of the request itself. The server does not need CORS for any of these 3 checks.

Due to the very strong policy on the name system and Content Security Policy at the name system level, we think that this feature does not need to be supported. Headers related to CORS are ignored by the browser.

If you think this is a mistake or have comments, please reach out to us on discord or by email.

See Mozilla's documentation on CORS

PreviousCookies NextTLS / encrypted traffic only and HSTS

Last updated 2 years ago