A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Fetch a page from a different domain (secure)


I know about CORS and what their purpose is.

However I don’t understand why it’s not safe for the browser to make an “anonymous” request to another domain: if you send an HTTP request without cookies and without authentication headers I don’t see any security issue. Why isn’t there any way to achieve that in JavaScript?

Example use case: the user inserts a link in a new post and you want to fetch a preview of that link (e.g. OpenGraph) without a backend (proxy server). Is there any way to fetch that HTML page without CORS headers?


The problem is that many servers employ “ambient authority” - as long as a user’s computer is within the right network (a particular corp network, for example) it’s assumed you have permission to load up anything. This means a script on a malicious page could request known sensitive corp resources, and when an employee of that corp visits the website, those loads will suddenly work and expose corp secrets. (And that script might come from an ad network…)

Ambient authority is a terrible security practice, but it’s still super common, and it’s the exact reason we can’t do what you’re asking for here.