I'm working on a project that involves both Express and React. In my setup, I've established a server API using Express to facilitate data access from my frontend React application. However, I've run into an issue where attempting to retrieve data from a different localhost results in blocked requests due to the "CORS" policy.
After some research, I came across a solution involving the cors module in the backend. It's a common way to address CORS issues and enables controlled cross-origin requests. However, I encountered an intriguing workaround that allowed me to access the data without altering the backend code. By running Chrome with a specific command on Linux, I was able to bypass the CORS restriction:
google-chrome --user-data-dir="~/chrome-dev-disabled-security" --disable-web-security --disable-site-isolation-trials
Using this approach, I was able to successfully request data without any issues. This discovery made me wonder about the fundamentals of CORS and its role in security.
My question is: If it's possible to circumvent the CORS policy using the aforementioned Chrome command, does CORS truly provide security? How does this relate to the security concerns that CORS aims to address? What are the scenarios in which the CORS policy remains effective in safeguarding web applications?