DEV Community

loading...

Discussion on: Why Facebook's api starts with a for loop

Collapse
ogonkov profile image
Alexey

If you have some js on your site, that can modify your constructor, you already hijacked, isn't it?

Collapse
antogarand profile image
Antony Garand Author

This attack is used to steal data from another website.

Say you're on dev.to, you don't want dev.to to access your emails!
But dev.to can still execute their own scripts, which makes sense.

Collapse
datvm profile image
Luke Vo • Edited

Pardon my noob but shouldn't it be fixed with CORS instead?

Thread Thread
antogarand profile image
Antony Garand Author

Cors wouldn't work on old browsers, and CORS is also used on the source site to limit what can be accessed from this website.

What is happening here is the opposite: An attacking website want to access information from another one.

Also note that this vulnerability is over 10 years old, well older than CORS :)