skipnothing/HTTP & Networking
UNIT 04

The Browser as Client

Same-origin, CORS, cookies, mixed content, the browser's invisible rules

When the client is a browser, HTTP gets a new set of rules layered on top. Same-origin decides what scripts can read; CORS opens the rules selectively; cookies travel by their own logic. This unit makes the invisible rules visible.

Loading…
TOPICS
#17

Same-Origin Policy

Name the scheme, host, and port that form a URL's origin, decide whether two pages are same-origin, and predict whether a script can read a cross-origin response or only send the request.

Your `fetch('https://api.example.com/data')` fires and the server answers with a normal `200`, yet the console shows a red error and your code cannot touch the body. The response arrived; the browser refused to let your script read it.

12 min
#18

CORS & Preflight

Read an OPTIONS preflight exchange and name what each Access-Control-* header does, predict whether a request is sent directly or preflighted from its method and content type, and fix a wildcard origin that breaks the moment credentials ride along.

Your `fetch('https://api.example.org/orders')` comes back blocked, so you keep adding headers to the request and it keeps failing. The one header that unblocks it lives on the response, and only the server can send it.

14 min
#19

Cookies & SameSite

Predict whether a stored cookie rides a cross-site request from its SameSite value, tell the site boundary apart from the origin boundary that blocks a cross-origin read, and assemble the flags a login session versus a third-party embed each needs.

`curl -v https://app.example.com` prints one line you typed and one the browser adds without asking: a header carrying a value the server handed you on an earlier response, replayed now on its own, with no code re-sending it.

13 min
#20

Mixed Content & Secure Contexts

Sort each http subresource an https page loads into upgraded or blocked by whether it can modify the page, predict when an upgrade silently drops a resource, and decide which pages are secure contexts that expose powerful APIs.

You ship a dashboard over `https`, the address bar shows the closed padlock, and one `<script src="http://...">` you pasted months ago never runs. The page half-renders and the console prints one red line explaining the drop.

12 min
#21

Service Workers as Network Layer

Trace a request as it stops at the worker's `fetch` handler, predict which response comes back (the network, a hand-filled cache, or a JavaScript string), and tell the worker's Cache Storage apart from the HTTP cache it does not obey.

You switch the browser to `Offline`, reload the notes app you shipped, and `fetch('/today.json')` still comes back `200` with today's list, no request having left the machine. Something answered in the network's place.

13 min
All units