|
|
|
|
|
|
by webdever
474 days ago
|
|
|
subdomains are not always the same origin. See "public suffix list". For an example think of abc.github.io vs def.github.io I didn't get the part at the end about trusting browsers. As a website owner you can't rely on browers as hackers don't have to use a browser to send requests and read responses |
|
|
The whole thing boils down to this:
- browser has two tabs -- one with authenticated session to web banking, another with your bad app
- you as a bad app can ask browser to make an http request to the bank API and the browser will not just happily do it, but also attach the cookie from the authenticated session the user has opened in the other tab. That's CSRF and it's not even a bug
- you however can't as a bad app read the response unless the bank API tells browser you are allowed to, which is what CORS is for. maybe you have an integration with them or something
Browser is holding both contexts and is there to enforce what data can cross the domain boundary. No browser, no problem