If CORS is just a header, why don’t attackers just ignore it?

artist’s rendition: world before CORS
live
mywebsite.com makes a request to itself, and to google.com/lookup via its backend servers as a proxy
live
mywebsite.com Javascript uses CORS to negotiate access to an API: a HEAD request confirms access
live

Why don’t we just let anything request anything else and block cookies?

Image of Yes Man (a big computer) from Fallout: New Vegas with NO GODS, NO MASTERS above it.
source

--

--

--

i’m trying http://twitter.com/zemnmez

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Color Defense Hack Free Resources Generator

How I hacked Bitcoin Mining Pool

RAZOR NETWORK

Ethical hackers will make the world a better place?

BUIDL NFT LOOT BOX Hackathon kicks off! Design Your Programmable Rewards!

Hello! Everyone and Welcome to yet another CTF challenge from emaragkos, called ‘VulnUni: 1.0.1,’

Ethereum blockchain helps Microsoft to fight piracy

SoftDrinkSwap X Nyanswop

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Zemnmez

Zemnmez

i’m trying http://twitter.com/zemnmez

More from Medium

What is NVM, and how to use it?

What happens when you type Google.com in your browser and press Enter??

Getting started with git and Github

The woes of traceroute