Why is cors used inside socket.io?

Question

It seems that cors middleware is a prerequisite when it comes to using socketio chat application.
but honestly, I cannot understand the reason why we use cors.

const io = require('socket.io')(server)

My server is running on localhost:3000, and that io is relying on my server. So domains of both are same with localhost:3000. But why is cors needed? Some explanation might be appreciated.

Answer 1

Chrome does not support CORS requests on localhost, and there's a bug regarding this issue which has been marked as a WontFix. They suggest you to use this chrome extension to temporarily disable CORS during development. So rather than having a CORS middleware on socket.io, which you may forget to remove in production, you can use the chrome extension for localhost testing.

Answer 2

If your socket.io server is the same host and port as the web server that the containing web page came from, then you do not need CORs at all.

CORs is only needed when you need to make an http request to a different domain or port. Further, if you limit socket.io to ONLY use the webSocket transport and not do it's little initialization routine that starts out with http polling, then you don't even need CORS to do cross origin socket.io.

So, to summarize, socket.io needs CORs only when your socket.io server is a different host or port than the web page that the connection is being made from and you can avoid CORs even then if you turn off the http polling transport so that socket.io only uses a webSocket as the transport.