|
|
|
|
|
|
by G_o_D
372 days ago
|
|
|
Cors doesnt stop POST request also not fetch with 'no-cors'supplied in javascript its that you cant read response that doesnt mean request is not sent by browser Then again local app can run server with proxy that adds adds CORS headers to the proxied request and you can access any site via js fetch/xmlhttprequest interface, even extension is able to modify headers to bypass cors Cors bypassing is just matter of editing headers whats really hard to or impossible to bypass in CSP rules, Now facebook app itself is running such cors server proxy even without it an normal http or websocket server is enought to send metrics Chrome already has flag to prevent locahost access still as said websocket can be used Completely banning localhost is detrimental Many users are using self hosted bookmarking, note app, pass managers like solutions that rely on local server |
|
|