Developers don't understand CORS (2019)
Points and comments are a snapshot, not live.
Too many web developers do not understand CORS, leading to security vulnerabilities.
Chris Foster argues that a 2019 Zoom vulnerability, where a localhost web server used image dimensions to bypass CORS and open the native app, reflects a widespread developer misunderstanding of CORS. He explains that CORS headers (`Access-Control-Allow-Origin`) can securely restrict localhost API access to trusted origins like `zoom.us`, and that Zoom's image hack allowed any website to trigger privileged operations. He notes similar insecure defaults on Stack Overflow and in Express.js examples, and suggests the problem may stem from both CORS's complexity and insufficient developer education.
Foster also criticizes Zoom's UX decision to auto-launch meetings without user confirmation, contrasting it with Google Meet's in-app prompt.
What commenters are saying
Many commenters agree that CORS is poorly understood. A common frustration is that browser error messages are intentionally opaque to avoid leaking response details, though the dev tools offer more clues. Some commenters argue that the underlying threat model is not that hard to grasp, CORS merely lets an origin tell a browser which other origins can read its responses, but that many developers don't think about security mindsets. A few defend the complexity, noting that once you internalize why preflights exist (because the browser can already emit those requests), the rules become logical. One commenter points out that CORS only prevents JavaScript from reading cross-origin responses, not from sending requests, which is a common confusion. Another notes that backend developers often treat CORS as a nuisance because it appears irrelevant to server-side security.