|
|
|
|
|
|
by tlb
2540 days ago
|
|
|
Cross-origin is based on the domain name. It offers no protection against an attacker poking your local IP addresses. You can have multiple IPs for a domain name, so if I set "hack.tlb.org" to include both a server I control and 192.168.1.1, I can repeatedly do fetches from "hack.tlb.org" until one of them gets your router instead of my server. And they're in the "same origin" for CORS purposes. |
|
|