|
|
|
|
|
|
by zahlman
138 days ago
|
|
|
I imagine that it would require browsers to treat web requests from JS differently from those initiated by the user, specifically pretending the JS-originating requests are by logged-out or "incognito" users (by, I suppose, simply not forwarding any local credentials along, but maybe there's more to it than that). Which would probably wreak havoc with a lot of web apps, at least requiring some kind of same-origin policy. And maybe it messes with OAuth or something. But it does seem at least feasible. |
|
|
Browsers already have strong protections against that sort of thing, look up the same-origin policy and CORS