javascript modules and CORS
Many browsers do not allow you to access files on the local filesystem with JavaScript (even if the HTML document is also on the local filesystem).
This extends to loading JavaScript modules.
Install a webserver and use that (with a URL like http://localhost/
) for testing.
Importing script with type=module from local folder causes a CORS issue
I've googled that for hours and found out that I can host my app by a server (like node.js)Yes
and then to allow CORS.Since it will be Same Origin, you won't need CORS.
However I don't want any server. I want just a simple html and a js file.Then you can't use browser-side ES6 modules.
You'll need to either write the code to not use modules in the first place, or use something like Webpack or Rollup to convert the code to not use modules afterwards.
There is a discussion in the HTML issue tracker about the motivation for the CORS requirement.
Importing js file as module in html gives CORS errors in firefox
According to this article, running modules require a HTTP(s) connection and will not work locally:
If you try to open a web-page locally, via file:// protocol, you’llSo I'd suggest exactly that and instead of running it locally, use a live server extension from your preferred text editor.
find that import/export directives don’t work. Use a local web-server,
such as static-server or use the “live server” capability of your
editor, such as VS Code Live Server Extension to test modules.
Loading JavaScript in HTML files throws a cross origin request error in local environment only for ES6 modules and not for old JS, why?
Support for cross-origin script loading for non-modules without CORS is a legacy feature for backwards compatibility.
From a discussion during the development of the spec:
The web's fundamental security model is the same origin policy. We
have several legacy exceptions to that rule from before that security
model was in place, with script tags being one of the most egregious
and most dangerous. (See the various "JSONP" attacks.)Many years ago, perhaps with the introduction of XHR or web fonts (I
can't recall precisely), we drew a line in the sand, and said no new
web platform features would break the same origin policy. The existing
features need to be grandfathered in and subject to carefully-honed
and oft-exploited exceptions, for the sake of not breaking the web,
but we certainly can't add any more holes to our security policy.That's why, from our perspective, making module scripts bypass the
CORS protocol (and thus the same-origin policy) is a non-starter. It's
not about a specific attack scenario, apart from the ones already
enabled by classic scripts; it's about making sure that new features
added to the platform don't also suffer from the past's bad security
hygiene.
Related Topics
How to Calculate the Number of Years Between Two Dates
Adding a Slide Effect to Bootstrap Dropdown
Viewing All the Timeouts/Intervals in JavaScript
JavaScript Es6 Typeerror: Class Constructor Client Cannot Be Invoked Without 'New'
D3.JSON Method Doesn't Return My Data Array
Pass Parameter with Python Flask in External JavaScript
Handling Key-Press Events (F1-F12) Using JavaScript and Jquery, Cross-Browser
How to Upload Preview Image Before Upload Through JavaScript
Is There a Mechanism to Loop X Times in Es6 (Ecmascript 6) Without Mutable Variables
Select a Complete Table with JavaScript (To Be Copied to Clipboard)
How to Chain These Functions Together with Promises
Rails 5: How to Use $(Document).Ready() with Turbo-Links
What's the Purpose of Starting Semi Colon at Beginning of JavaScript