why does browser prevent CORS
tags: learning networking
content
- browser stops Cross Origin Resource Sharing to stop malicious requests
scenario:
- user logs in to
bank.com - browser stores login info, session, cookies, auth token
- user clicks
evil.com evil.comcontains javascript, which sendsbank.com/transfer?to=evil&amount=1000
how browser prevents this:
- when browser requests
evil.com - and a javascript sent by
evil.comwants to send a request tobank.com - browser sees different origins and stops the request to
bank.com