Browser-Security

WebTransport sits in an odd spot for people who already know CORS. You expect the usual fetch() rules, preflights, and response headers. Then you try WebTransport over HTTP/3 and realize the model is related to CORS, but not the same shape. Browsers still care about origin-based access control, but WebTransport uses its own handshake rules instead of classic OPTIONS preflight. If you build browser-facing infrastructure, this distinction matters. A lot. ...

If you call the Wix API from browser JavaScript, CORS is the gatekeeper. When it’s configured the way your frontend needs, everything feels normal. When it isn’t, you get the classic useless browser error: blocked by CORS policy. This guide is the version I wish I had the first time I tried wiring a frontend directly to a third-party API. What CORS means for Wix API CORS stands for Cross-Origin Resource Sharing. Browsers enforce it when your page on one origin tries to call an API on another origin. ...

If you’ve ever opened an HTML file directly in the browser and watched fetch() explode with a CORS error, you’ve hit one of the weirdest corners of web security: file://. I’ve seen this trip up experienced developers, not just beginners. The usual reaction is: “But I’m not even cross-origin. It’s just a local file.” The browser disagrees. The core problem with file:// A page loaded from file:///Users/me/demo/index.html does not behave like a normal web app served from http://localhost. Browsers treat file:// as a special origin, and in many cases as an opaque origin or at least something heavily restricted. That means requests from a local file to: ...

CORS and CSRF get lumped together way too often. I’ve seen teams say “we enabled CORS, so we’re protected from CSRF now” and then act surprised when their app still has a cross-site request forgery bug. That’s the core mistake: these are not competing solutions to the same problem. They deal with different threats, at different layers, using different browser behavior. If you only remember one thing, make it this: ...