[gray_-_wolf]

> Only the janitor's department calling in can dial that sequence

Is this the case though? Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed? Like, the entries in /etc/hosts are not magically scoped to work just on Adobe's web, no?

[jacobgkau]

> Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed?

That is specifically what I was talking about.

> (Because it seems Adobe's server serving the analytics image checks the request origin and only serves the image if the origin is Adobe's own website.)

It's additional complexity on the server side, per a Reddit comment on the topic: https://old.reddit.com/r/webdev/comments/1sb6hzk/adobe_wrote... The example curl commands given seemed convincing to me, although they also demonstrate that you can fake the origin pretty easily on the client side.

[bastawhiz]

I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted

[15155]

Timing attack on the preflight.

[bastawhiz]

The DNS lookup will take an indeterminate amount of time and the cors failure is cached. You can't really effectively do a timing attack, especially if the client and the real server take a random time to respond. You get exactly one sample.

[15155]

detect-ccd.creativecloud.adobe.com returns NXDOMAIN. Why can't you request a different resource to get more than one attempt?

[inetknght]

You really think a server-controlled CORS list will protect you from a client-side configuration issue?

[bastawhiz]

It's not a client side configuration issue. You're not protecting against software the user has installed, you're protecting from arbitrary origins hitting the hostname. That's literally the exact reason cors exists.