Comment by jacobgkau

4 hours ago

To be fair, your analogy has one flaw:

> 3. After the change, any external caller can dial a certain sequence to get a message of "Yes, this office was serviced by Adobe Janitorial!"

Theoretically, it's not "any external caller." Only the janitor's department calling in can dial that sequence and get "Yes, you serviced this office!" If anyone else tries to dial the extension, the desk-phone pretends it doesn't know what it means. (Because it seems Adobe's server serving the analytics image checks the request origin and only serves the image if the origin is Adobe's own website.)

The origin "security" doesn't excuse the complexity and the potential for both exploits and human-error breakage in the future.

4 comments

jacobgkau

gray_-_wolf 3 hours ago

> Only the janitor's department calling in can dial that sequence

Is this the case though? Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed? Like, the entries in /etc/hosts are not magically scoped to work just on Adobe's web, no?

bastawhiz 2 hours ago
I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted
- 15155 23 minutes ago
  
  Timing attack on the preflight.
- inetknght 39 minutes ago
  
  You really think a server-controlled CORS list will protect you from a client-side configuration issue?