As I read, the same origin policy is about preventing scripts with origin in (evil) domain A to make requests to (good) domain B - in other words cross-site request forgery.
Playing around a bit I learned about Access-Control-Allow-Origin header and CORS which, as I somehow understand, allows to specify server from the good domain B that the domain A is an allowed origin (therefore not evil) . If this header is not present in the cross-domain response, the browser will not to read anything from it, but it has already made request anyway.
Now, I am somehow missing the point here. If domain B has a web services API and the cookie authentication with the user being logged in, basically any operation can be performed on the poor user's behalf by the evil origin A, just the attacker won't see the response.
What am I missing here? Where is my reasoning faulty?
Aucun commentaire:
Enregistrer un commentaire