|
|
|
|
|
|
by Mavvie
1592 days ago
|
|
|
This doesn't actually prevent arbitrary websites from calling them, it just makes it a tiny bit hard. They could always just proxy your endpoint and add the CORS headers. I'm still interested in the original question: if you use localstorage for auth tokens and you have proper CSRF protection, what does allowing all CORS actually make you vulnerable to? |
|
|