Why is CORS not used for cross-domain requests by default? [closed]

Question

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 5 years ago.

Improve this question

In order to be able to do cross-domain AJAX requests, SharePoint 2013 introduced SP.RequestExecutor.js library which uses a hidden iframe to do the request.

This looks hacky (although I'm not sure if it actually is) and is different from the developers who never used SharePoint before are accustomed to.

Why not using the standard way which relies on CORS (which is actually the recommended standard of the W3C)?

Since the cross-domain requests are done between applications handled by SharePoint, it seems natural to provide and use CORS under the hood, transparently (allowing to configure Access-Control-Allow-Origin header within SharePoint 2013 Central Administration).

Answer 1

I think it would be difficult for someone outside of the product team to give an accurate reason as to why they implemented this using a technology other than CORS... I would guess that in addition to any technical reasons though, CORS was not a reommended standard until January 2014, pre-dating the implementation of the App Model and SharePoint 2013.