Hacker News new | past | comments | ask | show | jobs | submit login

Not sure I follow the CORS angle. The linked stackoverflow question mostly seemed to be someone who was confused about how CORS works, and the issue in the Google Chrome tracker was closed as WontFix because they couldn't reproduce it and said it should work.

I'm nearly positive that CORS from localhost works OK. I set this up all the time for local development. For example, I run a client CRA app on localhost:3000 and an API on localhost:3001. The API sets the CORS headers and the CRA app can make requests to it.

If this is correct then I believe all Zoom needed to do is have their localhost application set CORS headers for their production domain. This would have allowed AJAX communication and only allowed it for Javascript running on their domain. Instead they did this totally hacky method that lets the whole world interact with the localhost server...

Maybe I missed something but if they could have done this the right way and didn't that is much worse IMO...

You're 100% correct, and while someone has pointed out the proper headers that need to be set on the bug report here: https://bugs.chromium.org/p/chromium/issues/detail?id=67743, it's been drowned out by people who don't seem to understand the issue:


CORS is hard, I've struggled on it several times, and I'm not surprised an engineer gave up trying to fix it because of deadlines.

Can confirm, CORS (Origin: ramdomsite.tld to localhost) works just fine in Chrome.

If you have a CORS enable server on localhost you can make requests to it from http://www.test-cors.org

Am I right in thinking that CORS only applies to Javascript-initiated requests? This trick uses an embedded image to make the request.

That's correct, and part of my point. If they used CORS headers correctly it could both be secure and not require a crazy image hack.

The image hack seems like a lot of work to go through to make an app LESS secure.

I'm a bit confused, so CORS doesn't apply when trying to load an image?

If they set CORS to allow interaction from anywhere, why use an image and not load data with js?

CORS is set up to protect data from being given to a third party, e.g. JS requests obtaining and being able to observe data they shouldn't have access to. Since images are being loaded by the browser (second party), there is no such protection, since a third party should not be able to read them anyway (barring some other vulnerability). It's assumed the first party is correctly doing what it's supposed to, an example could be fetching an image from a cdn.

Hmm I still don't understand why they have to use the image hack. Since they control the server on localhost they can set the CORS headers to allow all domains, then JS from a site could access localhost right?

Yes. I don't think there is any good reason to use the image hack. Further, they could have made the CORS lock only the production zoom domain for better security...

A user on Reddit suggested the image url hack was a way to bypass mixed content blocking from the zoom https site to the local http server: https://www.reddit.com/r/programming/comments/cavblo/zoom_ze...

> One potential hiccup I encountered was that Firefox blocked my XHR request due to a policy against "mixed active content". This was because my origin site was accessed through an HTTPS connection and the localhost server was only HTTP. That's one potential reason Zoom might have opted to use their <img> garbage; since <img> elements are passive not active content, they could avoid using HTTPS on the localhost webserver. That's not a good excuse, but clearly they weren't interested in finding a good solution -- whatever the problem that prompted the <img> hack was.

Very interesting, thank you! This is definitely no excuse for not filtering the origins -- they just don't get it for free through passive but they still need to do it, or since they are a native app, generate and install a cert -- but it could be the motivation for the decision to go this route which is really useful to know.

Lots of this got me thinking so I wrote a bit of a piece on it: https://fosterelli.co/developers-dont-understand-cors

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact