undefined | Better HN

0 pointsstaticassertion4y ago0 comments

Can you explain the risk with regards to no-cors requests? Like presumably an attacker requesting an image isn't scary, right? I'd think the real issue would be the attacker making credential'd requests.

0 comments

bmm6o4y ago

The point is that the endpoint can be anything, it doesn't need to have anything to do with images. But because of the context of the request, it's no cors.

staticassertionOP4y ago

Right but that's why CORS exists, so I'm trying to figure out what this mitigation is for. Like, you can't just fetch with credentials by accident - I guess if you don't use http cookies, which sure that's fine, maybe you can?

This isn't my area of security so I'm trying to figure out what the scenario is supposed to be where this mitigation is important.

j / k navigate · click thread line to collapse

0 pointsstaticassertion4y ago0 comments

0 comments

bmm6o4y ago

The point is that the endpoint can be anything, it doesn't need to have anything to do with images. But because of the context of the request, it's no cors.

staticassertionOP4y ago

This isn't my area of security so I'm trying to figure out what the scenario is supposed to be where this mitigation is important.

j / k navigate · click thread line to collapse