Good explanation and nice example of gorilla. I had this exact problem some months ago and wish I'd discovered this video back then, would have saved me some lost hair!
Although I appreciate the series, this specific video contains some misleading statements: - At 2:54, "CORS is blocking [...]". Don't conflate the Same-Origin Policy (SOP) and CORS. The latter is only meant to relax the former's restrictions. As such, CORS isn't blocking anything; the SOP is. - From 4:28 onwards, Nic explains that CORS acts a defence against CSRF attacks. That is not the case. In fact, activating CORS may open the door to more cross-origin attacks than would otherwise be possible. - At 5:55, Nic implies that a preflight request is unconditionally issued whenever the client attempts to send a cross-origin request. That's incorrect; some requests, colloquially known as 'simple', do not give rise to preflight requests.
Hi Nic, thank you for this. Even though I've been using go for a while now, there have been some nice hints in this series. The question I have is if CORS is still a problem if you serve the React site from within go? For example, the site is returned from /index.html and your service is on /api/products.
I guess it is not as it requests resource from the same URL, but well, as cors is sometimes a mystery to me, I would not be suprised if there were issues :D !
There should be no issues as long as the API and the client is hosted on the same domain. CORS only applies if the client and the server are separated by origin.
I finally understand CORS. Thank you for this great series!
ultimate thanks man now my bug fixed
Struggled with CORS in a node app I worked on. Got a lightbulb when you said allowed origins must be set on the backend.
You are a treasure! Thank you for your work!
Good explanation and nice example of gorilla. I had this exact problem some months ago and wish I'd discovered this video back then, would have saved me some lost hair!
Although I appreciate the series, this specific video contains some misleading statements:
- At 2:54, "CORS is blocking [...]". Don't conflate the Same-Origin Policy (SOP) and CORS. The latter is only meant to relax the former's restrictions. As such, CORS isn't blocking anything; the SOP is.
- From 4:28 onwards, Nic explains that CORS acts a defence against CSRF attacks. That is not the case. In fact, activating CORS may open the door to more cross-origin attacks than would otherwise be possible.
- At 5:55, Nic implies that a preflight request is unconditionally issued whenever the client attempts to send a cross-origin request. That's incorrect; some requests, colloquially known as 'simple', do not give rise to preflight requests.
thank you very much, amazing tutorial
hi nic~ What is the syntax of ch(sm) on line 61? Why can it be wrapped in parentheses
Hi Nic, thank you for this. Even though I've been using go for a while now, there have been some nice hints in this series. The question I have is if CORS is still a problem if you serve the React site from within go? For example, the site is returned from /index.html and your service is on /api/products.
I guess it is not as it requests resource from the same URL, but well, as cors is sometimes a mystery to me, I would not be suprised if there were issues :D !
There should be no issues as long as the API and the client is hosted on the same domain. CORS only applies if the client and the server are separated by origin.
The same error with POST requests. Looks like in Validate functions at middleware.
Thanks man
Someone misclicked the like button