CORS in 100 Seconds

*correction a cross-origin image fetched with an tag is not subject to CORS, it to comes into play with HTTP calls from scripts, ie fetch() or XMLHttpRequest

That error screenshot gave me PTSD

Ugh I ran into Cors a few months ago. Painful. These videos are excellent, clean and digestible; Whilst not disrespecting the audience's intelligence with over explanation. Nice work man!

Dude! A couple of weeks ago I needed this!
You're saving lots of valuable minutes!

I don't understand why the preflight is needed? If a server is going to block a request, why not just find out at the time the request is made? What's the advantage to knowing before hand? Great video, has made things click for me!

🎯 Key Takeaways for quick navigation:
00:00 🌐 Cross-Origin Resource Sharing (CORS) allows websites on one URL to request data from a different URL, but it can be frustrating for developers.
00:30 🔒 The Same-Origin Policy in browsers allows requests from the same URL but blocks external requests unless specific conditions are met.
00:58 🚫 Mismatch between the "Origin" header in the request and the "Access-Control-Allow-Origin" header in the server's response results in CORS errors.
01:12 🛠️ To solve CORS issues, configure the server to include the appropriate CORS headers in the response.
01:41 ✈️ Certain HTTP requests, like "PUT," may require preflight checks to ensure they are safe to execute on the server.
02:08 🔄 Check for the "Access-Control-Allow-Origin" header in the network tab to diagnose CORS issues, and make sure it matches the website's URL and allows the necessary methods or headers.
Made with HARPA AI

I like the body scan by the security guy.

Thank god for this video, also where do you find this kind of info

Golang 100 seconds and beyond

can you say something about curl - PHP

CORS is something for which I understand the mechanics, but can't get my head around how it protects the client side. If I'm a bad actor and have somehow caused a browser to make a cross-origin request, I'll just make it send that request to a bad-actor server that I own, which server I'll configure to allow requests from anywhere. Can someone help me understand how CORS really protects the browser when the 3rd party server dictates what's allowed? I'm sure it's me that's missing something, and would love to have some light shed on it.

Cors errors can really push ones patience to the limit!

Makes a poll. Listen to the audience. Clears their doubts
10/10 love your channel

You forgot to mention the "it is working on postman" part haha
although it is related to browser and different domain part

I literally was just needing this lmao

fireship is the hero we need, but we definitely don't deserve.
it's weird seeing free content with such high quality 🥰🥰🥰

Be careful! Sometimes you might get an error saying that CORS blocked the request because the OPTIONS call does not have an HTTP OK status. This actually has nothing to do with CORS (it's a red herring), but rather the route itself is missing from the server, or the server isn't responding correctly. Beware!

I thought I understood CORS well until 5 minutes ago 😆
Very informative video as always!

I feel like the entire field of computer networks is creating a way to connect two nodes and then trying their best to avoid doing that by default

You do always listen to the audience requests, and that's what a good content creator do. Thanks Jeff.

So, I'll tell my manager that this is something that the backend devs should fix.
PS: I'm frontend

I am using a third party api, so i don't have the backend control and got the CORS error. Now i guessed one fix (and that worked). I created my own backend (in node) and called the api there and allowed my frontend domain to access my local backend (as that was giving the cors error too). Now i can easily get the data on frontend served by my backend which is actually coming from a 3rd party api. This is infact a common fix in this case as by having a custom backend, we bypass the browser security.

I've been waiting for this for weeks!!!

Please do more something fundamentals like this. Some mainstream frameworks are easy to look for documentation. But IDK y, something like this sometimes gives a headache

So Fireship uses Firefox ! :)

literally had CORS problem today and now I understand it better. And this is not the first time you read my mind and make videos of it the exact same day.
Plz keep it up i need you!

Recently I was able to bypass cors issue by opening chrome with no security And user data dir flags. How are we able to bypass this? Isn't this a security vulnerability? Some browser extensions also let us bypass cors error.

It amazes me how even after years of schooling I still learn stuff from 100 second videos. Keep it up!

Me: I got the CORS error
Server dude: What is that?
Me: *Silently quotes Geralt when presented with the ultimatum

To login to my site /login over axios, I require a CSRF token
That token is gotten through doing a GET to /set-cookie
For 3 days, I've tried to figure why document.cookie is empty
Turns out, I have to pass {withCredentials: true} even if I'm not submitting any credentials, just receiving them
Also, if you change your content-type (in axios) to text/plain, CORS stops complaining
I hate my life and JavaScript and CORS and CSRF

"If you don't control the server you are out of luck" is a bit misleading. Some servers, especially APIs, may have options to enable it.
For example, I used Wikipedia API on a Unity project, it works just fine on the editor, but it gave CORS error when running a build version. The solution was simply add a parameter to the API call.

0:53 Isn't it supposed to be `Access-Control-Allow-Origin: foo.com` ? It doesn't make sense that bar.com would send back "allow bar.com to access my resources".

I had a problem with a PHP API server at some point. It seems POST requests require a preflight check or something like that, because I had the CORS headers all set up, but I had a statement if the request was blank, return 503. And that messed up the CORS preflight as the preflight Is sent with an empty request.

I legitimately love this video. Through my few years with web development I got so many CORS errors that the error screen gives me PTSD. This video really clarifies the concept real quick. I wish I had seen it when I got my first CORS error.

@fireship "if you don't control the server then you are out of luck"? server sided request proxy? cors only works for browsers so if you make a request with your own server it is not blocked and you can set it up to give you proxied results.

god tier explanation in 100 seconds meanwhile other youtubers wasted my 20 minutes and left me confused

If this video didn't exist, then probably I would have thrown my brain🙂

How to get rid of JavaScript Fatigue in 100 seconds ? 🤞😅

I've been writing backend code for 3 years now and to this day i keep getting sleepless nights because of CORS

Wow, I've had this problem for months, at some point I just decided to copy whatever solutions I could find and see if it would work, but it was always different depending on the project. This really explained the whole error response thing, I could never really understand the different CORS errors.

Great! Another important thing to say is that you can allow multiple origins simply specifing them divided by commas, instead of using the wildcard

You really need to put a trigger warning before you go throwing cors errors around willy nilly

Nice music btw. Selfmade or can you name me an artist? :)

Oh my God. CORS has been hell for me when we work with a local development environment. Kills minutes of my life.

we asked and he delivered. One of the many reasons why Fireship is the best dev channel on youtube

needed. so much needed

Fireship: If you don't control the server, you're out of luck
Me: Proxifies the request using CORS anywhere

In Node js setting headers decrease performance.
You need just this header for every request:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Allow-Headers
The other header is only need for the preflight request (method Options):
- Access-Control-Allow-Methods
So checking in a middleware if the method is OPTIONS and set this header too. Otherwise set just the other headers in this mw.

here's a neat idea: a feature for sites to request the user's permission to override CORS security via a browser popup, with clear explanations of what security issues this may cause. Main use that prompted this idea was for me to make custom media viewers for say radio sites.

Thank you for clarifying my doubts,
But Need Beyond 100 seconds for CORS would be super helpful too.

You are the prophet of Web developers!

I got the error on my Netlify site (Vite, Vue, Tailwind), gave me headache cuz my noob ass can't figure out.
Turn out disabled asset optimization in dashboard solved the problem

I was preparing myself to watch a video of hours to understand CORS. Fireship came to the rescue. It surely built at least the fundamentals. Great content as always.

You can also make a cors proxy using nginx and proxy_pass although you shouldn't have a reason to 😉

I finally understood CORS. Thanks mate.

Access-Control-Allow-Origin Header: Exists
Browser: Error!! We can't send this request. There is no Access-Control-Allow-Origin Header
Me: F***

but ignores CORS policy (actually all HTTP requests made by the HTML engine ignore it, including POST/GET requests from a ) , if it's broken it's for another reason.

I could have REALLY used this when I was first discovering CORS was a thing. And y'all know that wasn't a pleasant experience...

How quickly are you able to create these awesome videos? I remember yesterday when I read someone suggesting this video and here it is. I'm amazed.

CORS: Creating headaches for people developing standalone javascript tools since... I dunno, whenever.

Excelent work... Although i'm still not clear what "preflighted" means...

You didn't explain what CORS is for or why it's used. "Security reasons" is both vague and inaccurate. The practical reason is to give Web Servers control and help mitigate abuse. It works because most people use modern browsers that adhere to the CORS policy (as opposed to hacked/forked version of browser without it). It has no implications for security as it doesn't prevent access at all nor have any implication for code not executed on the client side. It prevents other sites from (ab)using a third party API without permission. Why? Because browser makers and web site creators have deemed that it makes for a better web overall. And they're right. Otherwise e.g. any site could just use RUclipss public search API as their own -- now they can still technically do that, but they will have to do it by hosting a server proxy themselves (which is both much more effort and much more easily detectable by RUclips) -- and not simply have the visitors browser to their site make the request to RUclips's API Server (AKA leeching).

Nice selection of font. I so wish to have a chilled Coors Light right now!

Love you guys! This is short, simple and down to the business. First time I had to slow down the vid and I was glad

It sucks that everything on the web is slowly becoming centralized, without server access you can't really do a lot anymore, it used to be simpler.
People like using Python for any kind of general purpose scripting, but personally I prefer JS, in the browser, always whipping up a nice GUI for myself. And guess what, can't even use it, can't even fetch some JSON from an API, despite JSON literally having JS in its name... CORS should be disabled for anything being run from localhost altogether, or there should be a simple switch in the browser settings for developers who just want to fiddle around. But no, download Node, download Apache, download nginx, run server, blah blah, nothing works on Windows, because console syntax is always different compared to documentation, so you need a Linux VM, or WSL2, and it just fucking sucks. Just let me play around with APIs. It's my goddamn computer, it's my own goddamn browser, my trash code is not a product I'll ever ship or even publish.
And I understand that not every public API provider wants their API to be used by any client. I'm saying that if you are running your site off of a server you can accept public API responses, but without a server, if it's just a .html file running from localhost, you won't be able to communicate with no API whatsoever.

In my experience, the best solution is to just allow origin with a wildcard, unless you're setting up a private endpoint for 1 specific client/server.

And often their error messages are _too helpful_ thaf I can't help but cry hard reading it.
Yes... It just happened last night. And it wasn't a "normal" CORS error like Origin error. 💔

Ok I know I'm gonna get some hateful replies here but I DO see this channel becoming the largest software development community in the future. Surpassing channels like Traversy Media.

I am Django developer and never have to worry about this. Just install a package (django-cors-header) and write some lines of code and never worry about it again, everything just works.

And now you've just put 13500 "expert consultants" out of work by sharing these secrets. Have you no shame?

First video I'm seeing from fireship with speaking pace/speed normal enough to be comprehensible ..
I'd like to see more video of u talking in a normal pace, not rushing things like you're been chased !!
Thanks for this though 👍😘

I have a problem in my server, it didn't allow PUT or PATCH method in google chrome, but in firefox it works fine lol

First

This video is sort of mid. If the origin is the same but the path is different then the browser can still make that request (you were saying the url has the be the exact same which isn't true).
Also an explanation of the why behind Same Origin Policy would be nice. If you curious, SOP is basically there to protect malicious websites from taking the users cookie data and then sending calls to other sites (of different origin) and getting their personal data.
Anyways, I am a big fan of your content, keep up the good work :)

CORS is a b*tch, hate it, nice video, i hate it even more. but now i understand it much better. Also Having a 100sec video is a good thing for someone who is looking for a quick insight, but a beyond 100sec version will do more good.

This mfing policy makes it literally impossible to create 100% offline HTML-js-css applications and I hate it more than anything else

It's a great attempt but there are some serious omissions. For example, at 1:24 and 1:49 you fail to mention which server it is that you're referring to. CORS is about a client and 2 different servers/domains, right? It's important to understand which one you're talking about.

I hated cors errors when I started webdevelopping. It even hits you into the knee when developping locally, like COME ON.

spent an entire day trying to fix CORS that were seemingly all correct. Turns out the browser had cached the CORS before I fixed it. 🙂😢

How the hell you do that?? I'm trying to understand CORS for a day already, YOU DID IT IN 100 SECS WHAT

Very good content,like always. Thanks for that.
But is it really explained in 100 seconds 😉?

This was extremely clear and concise! Much better than reading all those confusing articles online

Can someone rollback the Firefox Logo already.
edit: Oh fuck me. The older logo is still alive and well. The one shown in the video is of their 'parent brand'.

Last month I get a souposed cors error moving mi app to a new server, at least that what Firefox was saying. In reallity a network restriction was avoiding my API to find the database server causing a sqlexception and then returning a 500 error for every call to my API. The 500 error response was sended back to the client browser without any header and axios in the client browser just take care about that last thing and only that thing and claimed that the problem was cors whitout say anything about a 500 error or it's message content.
It was painful.

Was learning MERN stack, hated dealing with this.
Now I just add a wild card and make sure that my web app is unsafe, but working

didn't get the whole technicality though.. but I understood what I need to understand as a beginner in Front End Development.. Thanks

saved me!!! i didn't know about this. It was plauging my code and finally fixed it after a whole day.

Hah Jokes on you, I run chrome without CORS policy Via the commandline
In reality this is very dangerous and could get your data stolen please don't do that

How to use CORS:
1. Wide enable everything.
2. Move on with your life.

Wow! I'm amazed by how you explain it with ease. Thanks Jeff!

Cors is the dumbest “security feature” in browsers since it does not protect against anything. Literally, anything. It just make front end devs lose their patience.

Ok, server, cool. But what if I just want to run a static website with JS scripts attached, both living in the same directory on my local hard drive, huh? How can I tell browser in that case to let these scripts be imported?

Thank you not at all for such a confusing non-explanation of CORS. Looking for better sources now.

The special take away here is "if you have access to the backend". When you don't, things like a reverse proxy or the unsafe mode of Chrome are your saviors.

I wish this video existed 3 years ago lol. The MDN docs on this r so confusing. I guess the next generation will be better taught/prepared

I just voted on the most anything YT community post on CORS. YASSSS!!!!

Big brain solution: Implement your entire backend API as dynamically created image files

The browsers implemented this as part of their security model - but I have no control of the remote service to allow/block same origin... Still struggling on the rationale behind this

Things to check
- check the url for typos
- check for internet connection
- check for headers (access-control-allow-origin)
If these are fine you're good to go

Resources sharing between different origins should ban internationally. Then finally developers can have peace.