[dagobah]

Yea, but doing it that way requires same origin policy not to be weakened like from CORS being misconfigured. http://blog.portswigger.net/2016/10/exploiting-cors-misconfi... talks about exploits from this.

But what I am wondering is if using "Access-Control-Allow-Origin: evil-site.example.com or *" can be used to exploit the cookie-to-header technique with a token for every request (GETS included), no form GETS (so token doesn't appear in url query), https, and no browser bugs or XSS vulnerabilities. The wiki articles suggest it could be exploited, but I'm thinking they're just worded conservatively.