You two have this entirely backwards. It’s the Same-Origin Policy that is stopping you from doing what you want. CORS is a way of loosening up the security to make more things possible. CORS doesn’t – and can’t – stop you from accessing anything. If you “disable CORS” in your browser, guess what? You’re going to be able to access less stuff.
This is needlessly pedantic, and you know it. The same-origin policy makes lots of things a real pain in the ass, and that there is no escape hatch for those times I know that there are some missing headers on my responses doesn’t make sense.
What OP obviously meant was a way to disable same origin policy checks.
It isn’t anything of the sort. If they think the problem is CORS, they are going to put all their effort into trying to figure out how to disable CORS. This will not help them in the slightest. What they want, in effect, is to have a configuration that is as if CORS is on all the time, which they would never think to do if they think it’s CORS stopping them from doing what they want.
> What OP obviously meant was a way to disable same origin policy checks.
Yes, and they showed absolutely no knowledge of the fact that the SOP even exists. They think it’s CORS doing it. Pointing out this is backwards and pointing out what is actually causing their problem is helpful, not pedantic.
Congratulations on figuring out what I meant by a simple one line frustrating comment I made while I was walking to the toilet where I couldn't be bothered to set up a 2 paragraph explanation of precisely what I was talking about.
Are you still referring to accessing a file:// resource? Wouldn’t it be enough to run “python -m http.server 8000” in the desired directory? This sounds simple and quick to me. Or am I missing something?
I ran into some of these concerns when working on a sandbox feature where users select their own files to use in an iframe.
Once in production, sometimes you want the user's browser to serve these local files to itself, from blobs and/or the local file system, meaning a server or CLI isn't feasible.
This should be better from a privacy standpoint since files stay completely client-side, but CORS difficulties end up encouraging developers to push files to the server at least temporarily instead.
> This should be better from a privacy standpoint since files stay completely client-side, but CORS difficulties…
Isn’t this privacy tradeoff directly at odds with security? i.e. local access would also open the door to malicious sites accessing the local file system?
I can understand the dev-time frustration with CORS, but removing it just reintroduces a whole category of security issues.
Maybe there is something better, but whatever replaces it would need to include similar restrictions.
>Isn’t this privacy tradeoff directly at odds with security? i.e. local access would also open the door to malicious sites accessing the local file system?
Look at docker for analogy. Sometimes you just need a volume to use locally, but you don't necessarily need to access files that already exist. Consider the use cases of /tmp/ as well, for instance.
This sounds unrelated to the use case described by the parent, in which they want to serve specific files that exist.
But setting that aside, bypassing CORS to achieve this seems analogous to unlocking your front door/gate before leaving for the day in order to grant access to a delivery driver.
It’ll work, and the driver can deliver your package, but it’ll also let random and potentially malicious passers-by into your home without restriction, so who knows if your home will be intact when you return. A theoretically functional solution that doesn’t really work in the real world.
Some other solution that behaves more like a temporary file store sounds better, but the tradeoff I mentioned is specifically about CORS.
In the case I was referring, we loaded files as blobs in the browser's local storage, allowing us to run a web worker as a persistent local cache server.
This involved managing Firefox's admirable response doctoring policies, though.
All other browsers would let a web worker modify the incoming response to a request before forwarding it to an iframe, but FF absolutely refused it and required that the modified response get constructed anew in its local context, meaning locally created or injected content could not be mistakenly trusted as origin content.
Not everyone has Python or any other web server installed and being able to just double-click an HTML file and access all the web features without any online or native component would unlock so many new use cases.
