If you’re not entirely familiar with CORS, this guide by Lydia Hallie will explain it to you using lots of visuals.
Jake Archibald discovered a really nice browser bug (which is fixed by now) by which he was able to steal data from remote sites by loading it in as a (fake) wav file.
The exploit works as follows:
evil-script, using a
Content-Rangeheader to suggest there’s more data to be loaded afterwards.
evil-scriptreturn a valid WAV PCM header block, but also have it return a
Redirectresponse header to the cross-origin (!) location you want to read out.
Content-Rangeheader was used, the browser will make a second request to fetch the rest of the data.
Not all browsers were affected by this bug: in Firefox you could only get the length of the returned content, and it was only in Edge that Jake was able to read out the actual contents of the generated wav file. Here’s a video of Edge (warning: as it’s raw data you’ll only hear glitches and stuff … you might want to turn down the volume):
Nice find Jake!
A shame the process of reporting this bug with the Edge team didn’t go that smooth though (details in Jake’s post). I’m confident the Edge team will adjust / already have adjusted a few things internally to prevent this obstacle course from happening again.
Just pushed a new project to GitHub named Simple REST API Explorer, a simple way to showcasing and exploring all endpoints of your RESTful API.
The demo allows you to call
some Twitter API endpoints . Update the
index.html file to reflect your own API endpoints. All the rest will go automagically.
Some notes that go with this first version:
GETsupported (for now?)
Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser. By building on top of the XmlHttpRequest object, CORS allows developers to work with the same idioms as same-domain requests.
Cross-Origin Resource Sharing (CORS) works by adding a special header to responses from a server to the client. If a response contains the
Access-Control-Allow-Originheader, and if the browser supports CORS, then there is a chance you can load the resource directly with Ajax – no need for a proxy or JSONP hacks.