Is there a way to load cross origin request without explicit CORS headers set on the server side?

48
May 23, 2019, at 08:40 AM

I am trying to write an RSS feed consumer in javascript, but unfortunately most feeds do not seem to explicitly set an access-control-allow-origin header on their responses (Even though it is my understanding that the data is for public consumption / scraping).

My question is: Is there a way to load data like this in javascript (Aside from using a server side proxy or turning the project into a browser plugin) given that:

  • The requests are simple get requests. (So no OPTIONS request would normally be sent even if the access-control-allow-origin header was present)
  • Cookies / Authentication is not important as the feeds are public. (So withCredentials would be false if it were an XMLHttpRequest)

e.g. Something like:

fetch('http://rss.slashdot.org/Slashdot/slashdotMain', {
  crossOrigin: false,
  xhrFields: {
    withCredentials: false
  }
})).then(function(response){
  console.log('Got a response!', response);
});

For some background, I figured there may be a way to do this because:

  • The block does not seem to protect server side resources, as the request is not blocked, just the ability to view response. (So if somebody did tie a server side update operation to a simple get request this wouldn't save them.)
  • By default it does seem that cookies / authentication are blocked, so XSRF is not a problem.
  • The request initiated from the current domain, where if a malicious user did gain access to add something like this they could equally load something nasty via a script tag with JSONP or a server where they set an access-control-allow-origin header.

A further question: It seems that this block does not actually protect against anything at all in this case. Why does it exist? (Or is my understanding of the security constraints flawed)

READ ALSO
Automatically toggle between spans

Automatically toggle between spans

I can't find any answers that allow for sentence here followed by end word

50
Angular re-fetch data after parameter change GET request

Angular re-fetch data after parameter change GET request

How to re-fetch data after parameter change from: oglas/1 to oglas/2 by click, so when put URL and than click ENTER everything works, but when click on oglas/2 button when oglas/1 is rendered URL changes to oglas/2 but data is from oglas/1?

50
Two Colum website with opposite scrolling effect [on hold]

Two Colum website with opposite scrolling effect [on hold]

How does one go about creating a website with two columns with one column moving up and the other one moving down at the same time? Example: wwwritevac

56