HTTP CORS documentation is unclear on who participates in server requests/responses #36670
Comments
szentpali-janos
added
the
needs triage
Your confusion seems to be based on this, but I fail to see how this claim is true. CORS only involves one client and one server, where the client is on a different origin as the server. All our existing diagrams in the section in question only involve one client and one server because there are no more parties at play. |
|
Sorry, but if there is one server and one client, why is CORS needed at all? Cross origin between which one server? |
|
Cross-origin between the client and the server. For example you call |
|
So
|
|
The scheme and domain are both parts of the origin. For example, suppose the client-side JS of https://developer.mozilla.org sends a request to https://github.com. That would be a CORS request and subject to the CORS constraints. |
|
OK, so while physically "developer.mozilla.org" and "github.com" can be the same host, that is invisible to clients and are technically two server/domains. |
|
I'll defer the decision to @wbamberg, but I think the current example is clear enough. There's only one server responding to requests (and handling CORS), which is the destination of |
|
Josh is right. There's only one server in these example scenarios.
Well sort of. You might say, the bit with the first server took place before these scenarios. So this is what happens in full:
The examples in this section of the docs omit the first two steps here: they start with a document served from (="with an origin of") This is I guess implicit in bits like this:
I wonder if "web content served from https://foo.example" might be better than "web content at https://foo.example"? I wonder if annotating the sequence diagrams to include the document's origin might help? I wonder if talking a bit more about the initial exchange with the first server might help? |
bsmth
changed the title
|
What do you think about something like this: 
I am a little concerned that this doesn't distinguish the difference between the annotations, that "foo.example" is the origin and "bar.other" is the URL. I tried that but it looks a bit noisy: 
Interested in what people think. If we don't think this is an improvement I think we should just close this issue, or just change:
to "web content served from https://foo.example", but I think a change like that is unlikely to help people much. |
|
That is very good as far as I am concerned. |
Yeah, I agree we should do this too. For me at least |
|
Yes, I agree, for someone learning about CORS, using |
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
What specific section or headline is this issue about?
Examples of access control scenarios
What information was incorrect, unhelpful, or incomplete?
CORS is about a client and at least two servers. Throughout the examples it is unclear which server participates in the example transaction. There is a single example where the Host header hints at the identity of the server taking part in the transaction. As is the documentation is a guesswork for the reader, so not really a documentation. It would help immensely if the transaction diagrams and exchange request/responses would clearly state which server requests from which server.
What did you expect to see?
Servers clearly identified both in drawings and transaction payloads.
Do you have any supporting links, references, or citations?
No
Do you have anything more you want to share?
No
MDN metadata
Page report details
en-us/web/http/corsThe text was updated successfully, but these errors were encountered: