Final Thoughts on the Same-Origin Policy
Before we move on to discussing some browser-side attack techniques, we should probably clarify that there are lots of ways to make cross-origin calls other than the ones we’ve talked about here. Technically, all script code needs to make a cross-origin request is a way for it to send an HTTP GET message, and there are dozens of ways to do this. The catch is that just being able to send a cross-origin request usually isn’t useful unless you’re able to read the response. But the operative word here is “usually.”
If an attacker is trying to steal your private information like your bank account number, and he can’t get the bank to send it to him directly, maybe he can take an alternative tack and trick you ...
Get Web Application Security, A Beginner's Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
