[bastawhiz]

I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted

[15155]

Timing attack on the preflight.

[bastawhiz]

The DNS lookup will take an indeterminate amount of time and the cors failure is cached. You can't really effectively do a timing attack, especially if the client and the real server take a random time to respond. You get exactly one sample.

[15155]

detect-ccd.creativecloud.adobe.com returns NXDOMAIN. Why can't you request a different resource to get more than one attempt?

[inetknght]

You really think a server-controlled CORS list will protect you from a client-side configuration issue?

[bastawhiz]

It's not a client side configuration issue. You're not protecting against software the user has installed, you're protecting from arbitrary origins hitting the hostname. That's literally the exact reason cors exists.