Comment by ubermonkey
6 years ago
Yeah, I was focussing on the webcam thing. That piece, taking individually, isn't a big deal.
But the web server / CORS bypass is completely fucked up, nefarious, and unforgivable.
Accordingly, I edited my post.
6 years ago
Yeah, I was focussing on the webcam thing. That piece, taking individually, isn't a big deal.
But the web server / CORS bypass is completely fucked up, nefarious, and unforgivable.
Accordingly, I edited my post.
Could you further explain the CORS bypass? Why do they have to do the image hack if CORS if they open up CORS on the local server? At that point couldn't they retrieve data via JS instead?
CORS isn't supported to localhost, aka you can't do that; hence the image-size hack
CORS is indeed supported and also required on localhost if you're using two different ports (e.g. an API server and a hot-reloading dev server for a UI).
It appears CORS _is_ supported to localhost according to this website.
If you have an open local server running this will detect it.
http://http.jameshfisher.com/2019/05/26/i-can-see-your-local...
But the image is being served from localhost no? Do image requests not abide by CORS?
4 replies →