[0xfffafaCrash]

Fair. I don’t think MS would have a great case in court, assuming the court was technically competent enough to understand the situation upon hearing the case, which is not an easy thing to assume, but I also think many applications of the CFAA (including e.g. the one against Aaron Swartz) also make little more sense when you get to the nuts and bolts of what actually happened. You don’t have to be in the wrong to be bankrupted by the costs of litigation against you from a corporation like Microsoft — not in the US justice system in any case.

Maybe I’m just risk averse here. I assume most of big tech with more legal weight than they know what to do with have about a 50/50 chance of having someone upstairs greenlighting legal to throw a tantrum even if it’s not in anyone’s best interests.

Maybe if this firm demonstrated an exploit of CORS headers elsewhere open to *.microsoft.com or something, they’d be on worse footing legally.