Comment by gray_-_wolf
3 hours ago
> Only the janitor's department calling in can dial that sequence
Is this the case though? Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed? Like, the entries in /etc/hosts are not magically scoped to work just on Adobe's web, no?
I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted
Timing attack on the preflight.
You really think a server-controlled CORS list will protect you from a client-side configuration issue?