| There's a type of side-channel attack you can do to get around CORS but still leak limited information. Suppose you want to detect whether one of N pre-chosen users of FakeMail (a service I made up) have visited a malicious page you control. Let's also say that in FakeMail: 1. you can see a hi-res version of your profile pic only if you're authenticated 2. only you can see your own hi-res profile pic 3. the path to this private pic is unique to each user, e.g. `/users/{user_id}/private_pic` The trick then is to embed an `<img>` tag with a `src` to this private, hi-res profile pic for each of the N pre-chosen targets in your malicious page. Then, in `onerror` and `onload` event handlers of `img`, you can implement logic to handle "user X is not here" and "user X is here" respectively. Of course, this attack could be thwarted by SameSite cookies or browsers with protection against cross-site use of cookies. And it's rather hard to find FakeMail's exact three conditions needed to pull off such an attack. AND just add one more, your targets have to be authenticated to FakeMail. It might seem like an attack that's not viable, but this has happened before, and iirc it was called XS-Leaks for a while when I first heard of it. |