CORS server-side vs client-side? Why one works, but another - doesn't?

Question

I am not sure I understand this. I can write a simple server-side code to grab any website HTML content. Run it on my local PC or on any hosting and retrieve any page from any website. But this couldn't be done via javaScript?

How is that possible for remote host to know what sort of application is making a request? Cross origin requests are not allowed for security purpose? How come I can make the exact same request using the server-side code? And run this code locally or remotely anywhere? Below is a simple example hot to grab HTML page content from the Weather site, which works fine. But I cannot do this from within JavaScript code? Doesn't make sense.

public static class WeatherManager
{
    private static HtmlDocument document = new HtmlDocument();

    public static MyWeather GetWeather()
    {
        try
        {
            var web = new HtmlWeb();
            document = web.Load("http://www.weatheroffice.gc.ca/city/pages/on-143_metric_e.html");
        }
        catch (Exception ex)
        {
            throw new Exception("Weather is not loaded");
        }

        var mainContent = document.DocumentNode.SelectSingleNode("//*[@id='mainContent']");
        var nownode = mainContent.SelectSingleNode("//section[1]/details/div/div");
        var forecastnodes = mainContent.SelectNodes("//section[2]/details/table[1]/tr[2]/td");

        // Do some processing....
    }
}

But when I try to make similar request from Angular (or any I think JS lib)

getWeatherForecast() {
    const url = 'https://weather.gc.ca/city/pages/on-143_metric_e.html';
    return this.$http.get(url);
}

I get something like this

I know... CORS ok, but if its done for security purpose, how come I can make these CORS requests anyway I like, for example as server-side code above?

Answer 1

But this couldn't be done via javaScript?

Yes, it can — just not on a browser. You could make the request with JavaScript in Node, or in a JVM (since the JVM supports JavaScript via javax.script), or in a Metro app on Windows, etc.

How is that possible for remote host to know what sort of application is making a request?

It doesn't. The browser enforces the Same Origin Policy, not the server.

How come I can make the exact same request using the server-side code?

...

...but if its done for security purpose, how come I can make these CORS requests anyway I like, for example as server-side code above?

Because your server-side code doesn't have access to potentially-confidential client-side information. From the Wikipedia article on the SOP:

The same-origin policy helps protect sites that use authenticated sessions. The following example illustrates a potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has some malicious JavaScript code running in the background that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get a list of the user's last transactions, create a new transaction, etc. This is because the browser can send and receive session cookies to the banking site based on the domain of the banking site.

The user visiting the malicious site would expect that the site he or she is visiting has no access to the banking session cookie. While it is true that the JavaScript has no direct access to the banking session cookie, it could still send and receive requests to the banking site with the banking site's session cookie. Because the script can essentially do the same as the user would do, even CSRF protections by the banking site would not be effective.