I continue to struggle with strange limitations when developing for the Internet. One of them is the same source of restrictions for AJAX requests, and I ask myself: instead of blocking requests for cross-domain resources, it would be easier to simply refuse cookies when they are created (in order to avoid incorrect use of authentication credentials, the session browser).
Cookies are a tool, but not important at all (for example, you can create cookie pages in request URLs if you need to maintain context), while cross-domain blocking is quite annoying to get around.
There is also something that seems VERY weird from a logical point of view to block a specific object to access a resource that literally everyone else around the world can get without authentication.
I am wondering if there is any real technical reason why the same origin policy is really the best solution.
Note that I ask only out of curiosity ... I understand very well that in the age of the Internet, terrible decisions can crystallize by standards before experience gives an opportunity to show whether they are good or bad (quite a lot of Javascript, for example).
source share