4 Matching Annotations
  1. Apr 2020
    1. Without same-origin policy, that hacker website could make authenticated malicious AJAX calls to https://examplebank.com/api to POST /withdraw even though the hacker website doesn’t have direct access to the bank’s cookies.

      Cross-domain vulnerability

  2. Dec 2019
    1. Note that adding the X-Requested-With header makes the request "unsafe" (as defined by CORS), and will trigger a preflight request, which may not be desirable.
  3. Sep 2018