
Breaking Same Origin Policy (for the alexa top 1m) - ejcx
https://ejj.io/breaking-sop/?hn
======
mathias
“If you are logged in to a site that does this, it's a huge danger. Your
private account information can be slurped down by ajax on any other sites.”

This is false (unless `Access-Control-Allow-Credentials` is set). See CORS
101:
[https://annevankesteren.nl/2012/12/cors-101](https://annevankesteren.nl/2012/12/cors-101)

~~~
jaffathecake
Seconded. And if you have Access-Control-Allow-Credentials then Access-
Control-Allow-Origin must reflect the origin, * is not enough.

It's safe to put Access-Control-Allow-Origin:* on any publicly-accessible
server, since another server could simply proxy that stuff anyway.

