Comment by fokinsean

6 years ago

Thanks for the info!

I still don't fully understand _why_ they had to do this hack if they own the localhost server. They could just set CORS to be '*' and lax their CSP. Then they would be able to get data with JS.

For example this website can see any localserver on your network with open CORS since it appears they laxed their CSP.

http://http.jameshfisher.com/2019/05/26/i-can-see-your-local...

1 comment

fokinsean

amichal 6 years ago

my understanding (have not tested this) is that CORS "" does not work in all browsers between `localhost` and other domains. This is also AFAIK an intentional security feature. Even so CORS "" would be even more explictly bad behaviour. The whole point of CORS is to prevent XSS from random sites linking to your end points.