|
|
|
|
|
|
by tomvangoethem
3708 days ago
|
|
|
The attack on Facebook (or any other website for that matter) works regardless of any Access-Control-Allow-Origin headers. The Fetch API has a mode "no-cors", which does not require CORS. Also: the cache being used is a programmable cache, which is distinct from the regular cache in the sense that any website can place any resource in it, regardless of the headers sent along with the response. (I'm one of the researchers mentioned in the presentation.) |
|
|