Comment by amichal
6 years ago
They do not. The reason for that is that at the time CORS was designed lots of sites loaded images from other sites and because images where considered static content that didn't change the server this was at worst a information leak. What Zoom has done here is abuse a HTTP GET via a <img> tag (which is not supposed to change anything) as a way to trigger a privileged local process to INSTALL software (among other things). This is a classic XSS and is number 7 on the OWASP TOP 10 vulnerability list (2017 version). For Zoom to contract as BAA with HIPAA regulated clients and various other bodies they had agree that they would NOT do this and that they had security teams and audit processes in place to prevent this sort of thing. Nearly ALL of our client contracts require we be aware of and mitigate AT LEAST the OWASP TOP 10.
Thanks for the info!
I still don't fully understand _why_ they had to do this hack if they own the localhost server. They could just set CORS to be '*' and lax their CSP. Then they would be able to get data with JS.
For example this website can see any localserver on your network with open CORS since it appears they laxed their CSP.
http://http.jameshfisher.com/2019/05/26/i-can-see-your-local...
my understanding (have not tested this) is that CORS "" does not work in all browsers between `localhost` and other domains. This is also AFAIK an intentional security feature. Even so CORS "" would be even more explictly bad behaviour. The whole point of CORS is to prevent XSS from random sites linking to your end points.