Developers don't understand CORS (2019)
Key takeaways
- One of the best things about working in full stack consulting is that I get to work with a great number of developers with different skill levels in companies from various sizes and industries.
- This seems particularly timely to point out because of the recent Zoom vulnerability.
- I also found that, instead of making a regular AJAX request, this page instead loads an image from the Zoom web server that is locally running.
One of the best things about working in full stack consulting is that I get to work with a great number of developers with different skill levels in companies from various sizes and industries. This provides an opportunity to see what universal struggles come up. One that seems common and relevant recently is this: Too many web developers do not understand how CORS works.
This seems particularly timely to point out because of the recent Zoom vulnerability. Security researcher Jonathan Leitschuh found Zoom has a web server listening on the machine at http://localhost:19421. When you load a Zoom link, Zoom’s website sends a request to the localhost webserver and tells it to open up the native Zoom app. The whole article is worth a read, but these parts stuck out to me:
I also found that, instead of making a regular AJAX request, this page instead loads an image from the Zoom web server that is locally running. The different dimensions of the image dictate the error/status code of the server. You can see that case-switch logic here.