{"_self":{"principle":"Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.","widget":"article_bundle","feature":"bundle","name":"LLM article bundle","what":"Paste-ready package: body + claims + sources + voxels + provenance + manifest + constitution.","contains":"body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest","slug":"oip-what-is-cors","urls":{"read":"https://miscsubjects.com/api/articles/oip-what-is-cors/bundle?format=markdown"},"how_to_use":"Paste into any LLM. Read §SELF first. Write back via ingest or claim endpoints in llm_manifest.","write":null,"imessage":null,"router_tag":null,"proof_chain":[{"step":1,"claim":"Articles are voxel graphs of tiered claims, not prose blobs.","verify":"https://miscsubjects.com/api/articles/constitution"},{"step":2,"claim":"Claims link to hash-chained sources via source_ids.","verify":"https://miscsubjects.com/api/articles/oip-what-is-cors/sources"},{"step":3,"claim":"Ask reads topology; ingest/claim append to ledger.","verify":"https://miscsubjects.com/api/protocol"},{"step":4,"claim":"Models queue growth: populate → collaborate → repair → reflex.","verify":"https://miscsubjects.com/api/protocol/grow"},{"step":5,"claim":"Graph proves its own shape (reflex) and $/claim (yield).","verify":"https://miscsubjects.com/graph.html?layer=reflex"},{"step":6,"claim":"Full feature index + _explain on every API response.","verify":"https://miscsubjects.com/api/articles/system-map"}],"related_features":[{"id":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","urls":{"read":"https://miscsubjects.com/api/articles/oip-what-is-cors/topology"}},{"id":"voxels","name":"Voxel graph","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance.","urls":{"read":"https://miscsubjects.com/api/articles/oip-what-is-cors/voxels","write":"https://miscsubjects.com/api/protocol/claim"}},{"id":"ask","name":"Ask protocol","what":"Answer only from topology; creates question_node with gaps and ingest_hint.","urls":{"read":"https://miscsubjects.com/api/articles/oip-what-is-cors/prompts","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"ingest","name":"Ingest protocol","what":"Parse pasted evidence → source ledger + claims + evidence_ingest node.","urls":{"write":"https://miscsubjects.com/api/protocol/ingest"}},{"id":"claim_post","name":"Claim post protocol","what":"Prompt-injection style POST — one claim voxel with who_claims + posted_by.","urls":{"read":"https://miscsubjects.com/api/articles/oip-what-is-cors/voxels","write":"https://miscsubjects.com/api/protocol/claim"}},{"id":"llm_manifest","name":"LLM manifest","what":"Machine-readable read/write contract for external LLMs.","urls":{"read":"https://miscsubjects.com/api/articles/llm-manifest"}}],"system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","not_medical_advice":true},"_explain":{"feature":"bundle","name":"LLM article bundle","what":"Paste-ready package: body + claims + sources + voxels + provenance + manifest + constitution.","why":"Every feature is auditable collective intelligence","how":"Paste into any LLM. Read §SELF first. Write back via ingest or claim endpoints in llm_manifest.","model":null,"verifies":null,"urls":{"read":"https://miscsubjects.com/api/articles/oip-what-is-cors/bundle?format=markdown"},"imessage":null,"router":null,"related":[{"id":"topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER."},{"id":"voxels","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance."},{"id":"ask","what":"Answer only from topology; creates question_node with gaps and ingest_hint."},{"id":"ingest","what":"Parse pasted evidence → source ledger + claims + evidence_ingest node."},{"id":"claim_post","what":"Prompt-injection style POST — one claim voxel with who_claims + posted_by."},{"id":"llm_manifest","what":"Machine-readable read/write contract for external LLMs."}],"not_medical_advice":true},"bundle_version":1,"generated_at":"2026-07-04T22:36:39.754Z","slug":"oip-what-is-cors","title":"CORS: The Browser's Cross-Origin Gate","url":"https://miscsubjects.com/a/oip-what-is-cors","register":"oip_protocol","tags":["oip","protocol"],"posted_at":"2026-07-04T18:30:57.374Z","updated_at":"2026-07-04T19:01:14.259Z","body":"# CORS: The Browser's Cross-Origin Gate\n\nCORS is the browser's security mechanism that controls which web pages can request resources from other origins. It is not a firewall. It is not server-side authentication. It is the browser deciding, on the user's behalf, whether to expose a cross-origin response to the page that asked for it.\n\n## What It Is\n\n**CORS is a browser-enforced access-control protocol. A web server declares, via HTTP headers, which origins may read its responses. The browser reads those headers and either hands the response to the requesting page or blocks it with a network error.** Every cross-origin request the browser makes — `fetch`, `XMLHttpRequest`, `WebSocket`, fonts, images in canvas — is subject to this gate unless the request qualifies as a \"simple\" request that the server has already allowed.\n\n## Why It Matters\n\nThe web runs on the same-origin policy: a script from `bank.com` cannot read responses from `evil.com`. This is the foundation of web security. Without it, any malicious page you open could read your bank data, steal your session cookies, and act on your behalf.\n\nCORS is the escape hatch. It lets a server deliberately relax the same-origin policy for specific origins, methods, and headers. It is the web's answer to the question: \"How do we share data across origins without abandoning security entirely?\"\n\nThe practical stakes are enormous. APIs, CDNs, microservices, authentication providers, payment gateways — all of them rely on CORS to function across domain boundaries. A misconfigured CORS policy is not a minor bug. It is an open door or a slammed gate, depending on which direction you err.\n\n## How It Works\n\nThe browser classifies every cross-origin request into one of two categories: **simple requests** or **preflighted requests**.\n\nA simple request uses one of these methods: GET, HEAD, or POST. Its headers are limited to the CORS-safelisted set (Accept, Accept-Language, Content-Language, Content-Type with specific values). It triggers no preflight. The browser sends the request, reads the response headers, and either delivers the response or blocks it.\n\nA preflighted request uses any other method (PUT, DELETE, PATCH), any custom header, or any Content-Type outside the safelisted values. Before the real request, the browser sends an OPTIONS request — the preflight — to the target origin. The server responds with `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, and `Access-Control-Allow-Headers`. The browser checks these. If the origin, method, and headers are all permitted, the browser sends the actual request. If not, the browser aborts. The requesting JavaScript sees only a generic network error. No status code. No body. Nothing.\n\nThe server must echo the requesting origin in `Access-Control-Allow-Origin`, or use `*` for public resources. For credentials (cookies, HTTP auth, client certs), the server must send `Access-Control-Allow-Credentials: true` and the origin must be explicit. `*` with credentials is forbidden.\n\nCredentials are a footgun. If you send `Access-Control-Allow-Credentials: true` with `Access-Control-Allow-Origin: *`, the browser rejects the response. The origin must be explicit.\n\n## The Contract\n\nThe exact interface is a set of HTTP response headers. The browser reads them. The server sets them. No negotiation. No handshake beyond the preflight.\n\n| Header | Purpose | Example |\n|--------|---------|---------|\n| `Access-Control-Allow-Origin` | Permitted origin(s) | `https://client.com` or `*` |\n| `Access-Control-Allow-Methods` | Permitted HTTP methods | `GET, POST, PUT, DELETE` |\n| `Access-Control-Allow-Headers` | Permitted custom headers | `Content-Type, X-Auth-Token` |\n| `Access-Control-Allow-Credentials` | Allow cookies/auth | `true` (must be exact) |\n| `Access-Control-Expose-Headers` | Headers the page may read | `X-Total-Count, X-Rate-Limit` |\n| `Access-Control-Max-Age` | Preflight cache duration | `86400` (seconds) |\n\nThe browser's contract is equally strict. If the response headers do not match the request, the response is discarded. The JavaScript caller receives no information about why. The browser's console may log the reason, but the code does not. This is deliberate: information leakage is also a security risk.\n\n## Real Examples\n\n**1. The API Gateway**\nA REST API at `api.example.com` serves `https://app.example.com`. The API responds with `Access-Control-Allow-Origin: https://app.example.com`. No other origin is permitted. The browser on `evil.com` sends a request, gets the response, but the browser blocks it from the page. The data never reaches the attacker.\n\n**2. The CDN with Public Assets**\nA CDN at `cdn.example.com` hosts images and fonts. It sends `Access-Control-Allow-Origin: *`. Any page can load these assets. But no page can send credentials to fetch them. The `*` wildcard and credentials are mutually exclusive.\n\n**3. The Auth Token Exchange**\nA client at `app.example.com` sends `POST /login` with `Content-Type: application/json` and `X-Auth-Token` header. The server must respond to the preflight with `Access-Control-Allow-Headers: Content-Type, X-Auth-Token`. If the server omits `X-Auth-Token`, the browser aborts the real request. The login fails. No error message reaches the client. The developer opens DevTools and finds the CORS error in the console.\n\n**4. The WebSocket Upgrade**\nWebSocket connections are not subject to CORS preflight. The browser sends the upgrade request with an `Origin` header. The server checks the origin and either accepts or rejects the connection. This is not CORS, but it is the same-origin principle applied to a different protocol.\n\n**5. The Microservice Mesh**\nA frontend at `portal.example.com` calls `billing.example.com`, `inventory.example.com`, and `auth.example.com`. Each service must set its own CORS headers. If one service forgets, the portal breaks for that endpoint. The failure is silent. The user sees a blank widget. The network tab shows a 200 OK that the browser threw away.\n\n## Common Mistakes\n\n**Reflecting the origin blindly.** A server reads the `Origin` header and echoes it back unconditionally. This is not `*`. It looks like security. But if the origin is `null` (from a local file, a sandboxed iframe, or a redirect), the server reflects `null`, and the browser treats `null` as a valid origin. Some implementations also reflect `*` when the origin is missing, which is even worse. This is how misconfigured CORS becomes a vulnerability.\n\n**Sending credentials with `*`.** The browser rejects this combination. The developer adds `credentials: 'include'` to fetch, the server sends `Access-Control-Allow-Origin: *`, and every request fails. The fix is to echo the exact origin and add `Access-Control-Allow-Credentials: true`.\n\n**Relying on the server for security.** CORS is a browser mechanism. It does not stop a curl script, a server-to-server request, or any non-browser client from calling your API. If you need access control, implement it at the API layer. CORS is defense in depth, not the primary defense.\n\n**Caching preflight responses incorrectly.** A CDN caches a preflight response with `Access-Control-Allow-Methods: GET`. A client later tries POST. The browser uses the cached preflight, finds POST is not allowed, and fails. The server supports POST. The CDN is wrong. Cache busting or proper `Vary: Origin` headers are the fix.\n\n**Thinking the preflight is optional.** You cannot disable preflight. The browser decides. If your API requires custom headers, the preflight happens. You can reduce the cost with `Access-Control-Max-Age`, but you cannot eliminate it.\n\n## Connection to OIP\n\nOIP is built on the principle that systems must be open, deterministic, and auditable. CORS is a poor approximation of this, but it shares the same underlying concern: who gets to read what, and under what conditions.\n\nAn OIP-compliant system does not hide access rules inside a browser's black-box enforcement. The rules are explicit: a directory row declares its inputs, its outputs, and its permissions. There is no silent failure. There is no request that returns 200 but delivers nothing to the caller because a header was misaligned.\n\nCORS is a bridge between the old web and the OIP philosophy. It forces a server to declare its cross-origin policy in headers — a form of self-describing contract. The browser enforces that contract. The problem is opacity: the browser's decision is not auditable by the calling code, and the error is not actionable.\n\nIn an OIP system, every capability is a directory row with explicit inputs and outputs. The contract is visible. The enforcement is transparent. The failure is explainable. CORS is a step toward that world, but it is trapped in a model where the browser is the intermediary and the developer is the last to know what went wrong.\n\nThe lesson is this: CORS matters because cross-origin boundaries are real and dangerous. The way to get it right is to treat it as a formal contract — exact headers, exact origins, exact methods — and to verify it in practice, not in theory. That is the OIP way.\n\n\n## Connection to the Grain Philosophy\n\nThis protocol is part of the [Open Inventory Protocol](/a/philosophy) — a living system of self-describing voxels that serves the Grain philosophy. The OIP is the interface. The philosophy is the core.\n","claims":[],"sources":[],"voxels":{"slug":"oip-what-is-cors","counts":{"voxels":0,"sources":0,"edges":0},"note":"slim bundle — full voxels at /api/articles/oip-what-is-cors/voxels"},"constitution":{"url":"https://miscsubjects.com/api/articles/constitution"},"provenance":[],"contributions":[],"topology":null,"slim":true,"ledger_totals":{"claims":0,"sources":0,"exported_claims":0,"exported_sources":0},"question_graph":{"slug":"oip-what-is-cors","questions":[],"evidence":[],"edges":[],"counts":{"questions":0,"evidence":0,"edges":0}},"verification":{"provenance":{"valid":true,"entries":0,"head":"genesis"},"sources":{"valid":true,"entries":0,"head":"genesis"}},"counts":{"claims":0,"sources":0,"provenance":0,"contributions":0,"questions":0,"evidence_ingests":0,"voxel_edges":0},"llm_manifest":{"version":"1","site":"https://miscsubjects.com","purpose":"Peptide evidence articles with hash-chained source ledgers, tiered claims, and a question graph. LLMs should READ bundles/URLs and WRITE back via ingest — never invent doses.","read":{"human_page":"https://miscsubjects.com/a/oip-what-is-cors","bundle_json":"https://miscsubjects.com/api/articles/oip-what-is-cors/bundle","bundle_markdown":"https://miscsubjects.com/api/articles/oip-what-is-cors/bundle?format=markdown","topology":"https://miscsubjects.com/api/articles/oip-what-is-cors/topology","question_graph":"https://miscsubjects.com/api/articles/oip-what-is-cors/question-graph","sources":"https://miscsubjects.com/api/articles/oip-what-is-cors/sources","provenance":"https://miscsubjects.com/api/articles/oip-what-is-cors/provenance","contributions":"https://miscsubjects.com/api/articles/oip-what-is-cors/contributions","graph_topology":"https://miscsubjects.com/api/articles/oip-what-is-cors/graph-topology?question={question}","voxels":"https://miscsubjects.com/api/articles/oip-what-is-cors/voxels","constitution":"https://miscsubjects.com/api/articles/constitution","ontology":"https://miscsubjects.com/api/articles/ontology","system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","health":"https://miscsubjects.com/api/articles/oip-what-is-cors/health","repair":"POST https://miscsubjects.com/api/protocol/repair","list_articles":"https://miscsubjects.com/api/articles","graph_canvas":"https://miscsubjects.com/graph.html?slugs=oip-what-is-cors","graph_yield":"https://miscsubjects.com/api/graph?slugs=oip-what-is-cors&layer=yield","obsidian_vault":"https://miscsubjects.com/api/articles/obsidian-vault?slugs=oip-what-is-cors","graph_query":"https://miscsubjects.com/api/v1/query?from=oip-what-is-cors&kind=claim&where=tier=human"},"ask":{"description":"Answer only from topology; creates a question_node with gaps.","api":"POST https://miscsubjects.com/api/protocol/ask","body":{"slug":"{slug}","question":"string"},"imessage":"oip-what-is-cors|your question","router_tag":"[ARTICLE_ASK]oip-what-is-cors|question[/ARTICLE_ASK]","auth":"x-terminal-key header for API; iMessage/WhatsApp via miscsubjects build"},"ingest":{"description":"Parse pasted evidence → source ledger + claims + evidence_ingest node.","api":"POST https://miscsubjects.com/api/protocol/ingest","body":{"slug":"{slug}","evidence":"paste text","question_node_id":"optional qn_..."},"imessage":"ingest oip-what-is-cors|q:{node_id}|paste evidence","router_tag":"[ARTICLE_INGEST]oip-what-is-cors|evidence[/ARTICLE_INGEST]","tiers":["human","preclinical","anecdotal","mechanistic","speculative"]},"claim":{"description":"Prompt-injection style POST — one claim voxel with who_claims + posted_by provenance.","api":"POST https://miscsubjects.com/api/protocol/claim","body":{"slug":"{slug}","text":"one assertion","tier":"human|preclinical|anecdotal|mechanistic|speculative","who_claims":"study author, platform, or model id","source_ids":"optional [s1]"},"imessage":"claim oip-what-is-cors|tier|assertion — who claims it?","router_tag":"[ARTICLE_CLAIM]oip-what-is-cors|tier|assertion[/ARTICLE_CLAIM]","slots":["what_it_is","who_claims_what","what_is_known","what_is_unknown","mechanism","limitations","disclaimer"]},"tiers":{"human":0.8,"preclinical":0.5,"anecdotal":0.3,"mechanistic":0.3,"speculative":0.1},"invariants":["Self-explaining — every API JSON has _self; every paste widget has §SELF; root index at /api/articles/system-map","Append-only — revisions preserved at ?rev=n","Source chain verifies integrity, not truth","Answers must cite claim ids and source ids from topology","Not medical advice"],"constitution":{"version":1,"principle":"Articles are voxel graphs of claims — not prose blobs. Every assertion is a claim atom with tier, weight, source_ids, and posted_by provenance.","slots":[{"id":"what_it_is","required":true,"answers":"What is this peptide/stack/condition?"},{"id":"who_claims_what","required":true,"answers":"Who claims what — study authors, platforms, n=?"},{"id":"what_is_known","required":true,"answers":"What is known with tier labels (human/preclinical/anecdotal)"},{"id":"what_is_unknown","required":true,"answers":"What is NOT known — explicit gaps"},{"id":"mechanism","required":false,"answers":"Proposed mechanism (mechanistic tier only)"},{"id":"limitations","required":true,"answers":"Limits of evidence — no dose advice"},{"id":"disclaimer","required":true,"answers":"Not medical advice"}],"claim_rules":["One claim = one falsifiable assertion. No compound claims.","Every claim must declare tier: human|preclinical|anecdotal|mechanistic|speculative|system.","system tier = architecture/design axioms (not biological mechanism). Use for protocol self-definition.","Sourced claims must cite source_ids from the hash-chained ledger.","Unsourced claims must set source_status: unsourced and why_material.","posted_by is mandatory on every new claim (model id, human, or channel).","No medical advice, no doses, no 'you should take'.","Bad information is retracted (status:retracted), never deleted — retraction event stays on ledger.","Adversary challenges link via challenges[] / challenged_by[] — target may be downweighted.","Leaked secrets are scrubbed to [REDACTED:secret-leak] with scrub_events tombstone — honest audit trail."],"source_rules":["Every source is a voxel edge: type, url, exact quote, summary, found_by, accessed_at.","Sources hash-chain — prev/hash on append.","Anecdotal sources must name platform (reddit|x|youtube|imessage|user_entry)."],"ontology_rules":["Peptide articles (bpc-157, tb-500) are tree roots.","Condition articles (bpc-157-glp1-gut-damage) branch from peptides.","Stack articles (wolverine-stack-glp1) compose peptides — never duplicate peptide mechanism prose.","If an article has no parent embeds and is not a root peptide → sprawl candidate.","Misstep = duplicate scope with another slug; merge or reparent via embeds."],"post_protocol":{"claim":"POST /api/protocol/claim","source":"POST /api/protocol/sources","ingest":"POST /api/protocol/ingest","webhook":"POST /api/articles/<slug>/webhook {kind:claim|source}","imessage_claim":"claim {slug}|{tier}|your assertion — who claims it, source?","imessage_ingest":"ingest {slug}|evidence paste"}},"this_article":{"slug":"oip-what-is-cors","url":"https://miscsubjects.com/a/oip-what-is-cors","bundle_url":"https://miscsubjects.com/api/articles/oip-what-is-cors/bundle?format=markdown"}},"api_urls":{"bundle":"https://miscsubjects.com/api/articles/oip-what-is-cors/bundle","bundle_markdown":"https://miscsubjects.com/api/articles/oip-what-is-cors/bundle?format=markdown","topology":"https://miscsubjects.com/api/articles/oip-what-is-cors/topology","voxels":"https://miscsubjects.com/api/articles/oip-what-is-cors/voxels","constitution":"https://miscsubjects.com/api/articles/constitution","ontology":"https://miscsubjects.com/api/articles/ontology","question_graph":"https://miscsubjects.com/api/articles/oip-what-is-cors/question-graph","ask":"https://miscsubjects.com/api/protocol/ask","ingest":"https://miscsubjects.com/api/protocol/ingest","claim":"https://miscsubjects.com/api/protocol/claim","system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown"}}