I read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS and I wonder what or who that should protect. If you start Chrome for example in a mode without security restrictions it calls all the APIs on the other domain without preflight and whatsoever. This means a naughty guy can get around this very easily. I don't see how this should protect the owner of a server application, the owner of such an application can have an authentication to protect its site. So what is the scenario who gets protected?
Asked
Active
Viewed 857 times
4
-
Does this answer your question? [same-origin policy and CORS - what's the point?](https://stackoverflow.com/questions/29167428/same-origin-policy-and-cors-whats-the-point) – Josh Correia May 26 '21 at 23:51
1 Answers
0
If a script in example.com sends a request to somebank.com and the user is logged in to somebank.com it can retrieve the financial information of the user. Since the script is under the control of example.com it can then transmit that information back to its owner.
This of course begs the question why forbid the request altogether instead of making a request without session id's/cookies. This can be done server-side anyway.
qwazix
- 906
- 11
- 17
-
1You gave a scenario that can go bad without CORS, but haven't really explained how CORS prevents this from happening. – Robert Kusznier Oct 14 '21 at 11:28