Cutting this issue to track some docs changes I have queued up, and am open to feedback.
CORS is confusing, infamously so. And we will sometimes get users who are confused about what it is and how it works.
I don't really want the README to try and teach folks everything about CORS, but I do want to try and help people out by improving the documentation to hopefully catch some of the repeat issues we see.
So below is a summary of what I've seen across various issues historically here, and some simple suggestions for improving the readme.
Problem
Users regularly open issues demonstrating misunderstandings about what this package does:
The common thread: users think CORS is server-side access control.
The documentation doesn't clearly state what the library actually does, and uses ambiguous language:
- "Enable CORS" / "allow origins" suggests blocking
- "reflect" is jargon that doesn't explain actual header behavior
- No mention that browsers enforce CORS, not servers
Proposed Improvements
Cutting this issue to track some docs changes I have queued up, and am open to feedback.
CORS is confusing, infamously so. And we will sometimes get users who are confused about what it is and how it works.
I don't really want the README to try and teach folks everything about CORS, but I do want to try and help people out by improving the documentation to hopefully catch some of the repeat issues we see.
So below is a summary of what I've seen across various issues historically here, and some simple suggestions for improving the readme.
Problem
Users regularly open issues demonstrating misunderstandings about what this package does:
origin: 'http://example.com'would block other origins server-sideThe common thread: users think CORS is server-side access control.
The documentation doesn't clearly state what the library actually does, and uses ambiguous language:
Proposed Improvements