zlacker

[parent] [thread] 1 comments
1. minhaz+(OP)[view] [source] 2023-06-01 03:38:38
Technically you can still do that by launching chrome with some special flags or with a chrome extension.

But I do agree that CORS is being hijacked/abused for this purpose. But at the same time it's an important security feature. It prevents the scenario where you visit some website and some malicious javascript starts making calls to some-internal-site/api/... and exfiltrating data.

replies(1): >>jakear+c4
2. jakear+c4[view] [source] 2023-06-01 04:33:41
>>minhaz+(OP)
The chrome flag disables CORS entirely, which presents a major security risk as you point out. What I’m asking for is an option to let specific origins read from specific other origins. Extensions might be able to do this but they aren’t available in all contexts (iOS, for instance)
[go to top]