Comment by pjc50
6 years ago
Am I right in thinking that CORS only applies to Javascript-initiated requests? This trick uses an embedded image to make the request.
6 years ago
Am I right in thinking that CORS only applies to Javascript-initiated requests? This trick uses an embedded image to make the request.
That's correct, and part of my point. If they used CORS headers correctly it could both be secure and not require a crazy image hack.
The image hack seems like a lot of work to go through to make an app LESS secure.
I'm a bit confused, so CORS doesn't apply when trying to load an image?
If they set CORS to allow interaction from anywhere, why use an image and not load data with js?
CORS is set up to protect data from being given to a third party, e.g. JS requests obtaining and being able to observe data they shouldn't have access to. Since images are being loaded by the browser (second party), there is no such protection, since a third party should not be able to read them anyway (barring some other vulnerability). It's assumed the first party is correctly doing what it's supposed to, an example could be fetching an image from a cdn.
5 replies →