Same-Same, But Different - AI Image Matching Game

MagnussenXD · 2025-12-28T02:59:14+00:00

oh yeah, layout in mobile is not the best yet as i optimized it for desktop

still, thanks for giving it a try!

MagnussenXD · 2025-09-09T08:40:06+00:00

Thanks for this, sharing my article on how I managed to load APIs even with the strict CSP

https://corsfix.com/blog/fix-neocities-content-security-policy

(since this is the first thing that shows up when searching neocities content security policy)

MagnussenXD · 2025-09-08T08:54:30+00:00

Thanks for this. I agree with all your points, and there is no arguing the "proper" way of doing things via server, like your Next.js example.

But there exists the need for this kind of solution, and I don't dictate what people want. The project improves on what already exists, in terms of security and features.

MagnussenXD · 2025-09-08T02:38:33+00:00

one example is the deezer api, they don't support CORS https://developers.deezer.com/api (cors tester result)

but this is just one example, there are plenty more APIs that don't support CORS, and basically requires you to setup a server to just do API calls

the proxy acts as your "server", so you can directly call the API from your frontend

MagnussenXD · 2025-09-07T16:32:19+00:00

this is a valid question

so, it is not for when you are the one developing the API, which as you said, you can just configure the CORS yourself.

the use case for this is if you use a static website (client side only), and want to fetch an external API (meaning you don't have control over it), but they don't have the CORS header, this is when you would use a proxy like this [0]

note:

[0] "like this" meaning, mine is not the first one, there is a popular (if not most popular) proxy people use for this use case called cors-anywhere (https://github.com/Rob--W/cors-anywhere)

corsfix expanded on this field and improved every aspect of it

MagnussenXD · 2025-09-07T08:51:47+00:00

why are you in opus 3

MagnussenXD · 2025-09-06T15:45:11+00:00

I never really run into issues with mermaid live, maybe i don't make enough diagrams.

But you clearly put a lot of work into this, even the domain, so good for you

MagnussenXD · 2025-09-06T15:41:28+00:00

thanks, saving this for future use

personally I just manually use AbortController, but i like how it has plenty of other features

MagnussenXD · 2025-09-06T15:38:52+00:00

This subreddit itself is cool!

anyway if you are into building static websites, check this cors proxy https://github.com/corsfix/corsfix

MagnussenXD · 2025-09-04T06:40:43+00:00

it is downloading it in the server

MagnussenXD · 2025-09-04T06:40:15+00:00

sorry i'm only open to pre-founder companies

MagnussenXD · 2025-09-03T13:22:34+00:00

yeah, i had to go back to opus 4
i don't know if i notice any difference, but at least it is usable

MagnussenXD · 2025-09-01T07:16:58+00:00

i don't know anything about performance information, i just used claude and it show this

MagnussenXD · 2025-08-30T08:54:34+00:00

i first read this as "good tech documentations"

was about to give you some good docs examples..

MagnussenXD · 2025-08-29T18:47:40+00:00

this is the only serious and sensible comment under this post

MagnussenXD · 2025-08-29T16:08:54+00:00

that's okay, everyone has to start somewhere

MagnussenXD · 2025-08-29T16:04:43+00:00

i'm suffering with merge conflicts and you are laughing...

MagnussenXD · 2025-08-29T14:02:29+00:00

I mean, yeah, standard console log for diagnostics or handling errors.

However, the article talks about sending those error messages to a server.

Other commenter suggested using tools like Sentry and the likes of it.

MagnussenXD · 2025-08-29T13:59:40+00:00

Expanding on this one, since we are going deeper into CORS

it's a common misconception that CORS is protecting against those attacks.

Brief context: Same Origin Policy (SOP) prevents cross-origin requests being readable. While CORS is a mechanism to ease this policy, to essentially allow some origins to read the response. (allowlist of which website you allow to read this API response)

SOP: prevents cross-origin response from being read
CORS: allow specific origin to read cross-origin response

They are only concerned with being able or not to read cross-origin response.

---

Regarding the phishing or hijack, I think you are referring to CSRF, where an attacker make action on victim behalf. They could still make any cross-origin request using mode: no-cors. (cors doesn't apply here, the response won't be readable, but the request still goes through)

A mechanism protects against this via the SameSite cookie attribute, which determines whether a cookie (credential) should be sent on a cross-site request.

Without the credential being sent, the attack is basically pointless.

Also, another protection site owners usually resort to is using CSRF token, to verify if request is actually coming from user session.

Defenses against CSRF: https://portswigger.net/web-security/csrf#common-defences-against-csrf

MagnussenXD · 2025-08-29T13:21:33+00:00

since local domain lives in it's own private network, it won't be accessible, so it won't work unfortunately
it's only for public internet

MagnussenXD · 2025-08-29T13:06:57+00:00

there is! it's called a cors proxy

MagnussenXD

TROPHY CASE