Is CORS considered bad practice?

Question

We are integrating two systems in an intranet, using CORS as a means of making AJAX calls across the two domains.

Is this considered bad practice? Is CORS in general considered bad practice?

Answer 1

Threre is some latency overhead caused by CORS preflight requests. More here

Answer 2

CORS isn’t bad practice. It is supported on all major browsers, and more and more APIs are supporting it. In fact, if you have a public resource that is not behind a firewall, it is safe to put the Access-Control-Allow-Origin: * header on the resource.

But there is some confusion over the role of CORS on a server. CORS should only dictate the cross-origin policy for a particular resource. In other words, the CORS headers are only meant to indicate whether requests from different origins are allowed. I think the confusion comes in because servers sometimes use CORS to dictate security policy as well. CORS is not security. If servers have resources that need to be protected from certain users, it is not safe to rely solely on the Origin header to enforce this. Your server needs some other mechanism for security (such as OAuth2 and CSRF protection).

Answer 3

No, CORS is not considered bad practice. It's the standard way to do cross domain AJAX calls (for browsers that support it). Bear in mind though that currently, depending on your exact requirements, there could be lots of pitfalls to make it work cross browser. For example if you want to be able to set cross domain cookies be prepared to suffer with Internet explorer.

So basically, if you can make CORS work for your needs, go ahead and use it.