I’ve been reading about the Access-Control-Allow-Origin header. As far as I understand, enabling this header with a value of * will enable any third party site to make requests to it on behalf of its users.
This made me think that I could exploit such a site by making a request to an “/account/settings”-like endpoint on behalf of a victim in order to read stuff like email, phone number and address associated with the victim’s account.
Like:
However, when I try to do this in practice using myself as the victim and being logged in on my target site, I get a /login redirect response from the server. The request is not that of an authenticated user.
Can someone clarify what the risk of enabling Access-Control on sensitive pages is, if it’s not this?
