I've tried to understand HTTP base statements, because that is not working as I expected.
E.g. I've put Access-Control-Allow-Origin as http://www.example.com, and I tried to send POST requests from http://www.example2.com and it was with error like I expected.
It says ...request has been blocked by CORS policy.
But I was wonder when looked that actually that request was done on http://www.example.com and POST action was called.
Question then, why do we need that protection?
When a web-page is loaded into a browser, its HTML, CSS, Javascript is loaded, its session is being used. Some of the many potential problems:
The remote page inside the iframe might be a page where you are logged in (like your personal email account's web-page) and a spider could silently steal important data (like the content of your emails, including access to confidential areas, like bank account-related data, personal, private data, etc.)
Confidential CSS/Javascript could be stolen from trusted users. Example: you create some very good code in Javascript and CSS and only paid users can use their benefit. However, someone sends you a link which points to a page which loads your site silently as an iframe and extracts the CSS and Javascript goodies from there. Then the stealer will sell your product with a discount and you can work on new products and on a better security policy.
Your accounts could be hacked. A page where you have an active session could be loaded inside an iframe and then a spider could wreak havoc there, including, but by far not limited to changing your username/password and excluding you from your own account.
Malicious things could be done against others in your name.
