DEV Community

Discussion on: I tried to mount a client-side "attack" on a news website poll by using only Javascript. And I failed miserably.

ispoljari profile image
Ivan Spoljaric Author • Edited

True. But unlike browsers Node.js servers don't implement the Same Origin Policy. So technically speaking, yeah, you are still a "client" for the target BE - although somewhat different - even though you are running your script from a server. Maybe I should have been more precise and called it a "browser-side attack".

Based on experience, i know it would be easier to try this from the server side because there are no CORS related issues. I am just not sure what would happen if I tampered with iframes in this scenario. I'll have to test this out.