It's sorta sad by funny that that big Zoom vulnerability thing was ultimately related to web technology and not really the app itself. There is this idea of custom protocols or "URL schemes." So, like
![]() In order for that web page to open up a native app, apparently, the tactic used by many is to have it communicate with a server running on localhost on your own computer which uses a URL scheme to open the native app. Clever, but I've heard sentiment from folks like:
That's the way it is though. But there are some protections in place. Namely: CORS (Cross-Origin Resource Sharing). Ugh. I feel like I deal with some kind of CORS problem every week of my life. But it's important. It prevents XHR requests from websites that aren't specifically allowed. Imagine if you visit my website, and I have your browser shoot requests over to Facebook, hoping you are logged in so I can do things on your behalf. Bad. CORS doesn't prevent that, the same-origin policy of browsers prevents that. CORS is the mechanism to control that. If my website tries to communicate with your website, and your website's response doesn't have an Chris Foster thinks CORS and a lack of understanding of CORS was at the heart of the Zoom bug.
In the wake of all this, Nicolas Bailly wrote "What you should know about CORS":
The post Zoom, CORS, and the Web appeared first on CSS-Tricks. from CSS-Tricks https://css-tricks.com/zoom-cors-and-the-web/ Zoom, CORS, and the Web See more on: Instant Web Site Tools Blog from https://www.instant-web-site-tools.com/2019/07/23/zoom-cors-and-the-web/
0 Comments
Leave a Reply. |