1c:["$","$L1d",null,{"blockContent":[{"object":"block","id":"296dc9c5-3059-801d-80fd-e1748e510f18","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-24T11:39:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"What is CORS (cross-origin resource sharing)?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What is CORS (cross-origin resource sharing)?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"296dc9c5-3059-80b1-ab47-de107815fa05","parent":{"type":"block_id","block_id":"296dc9c5-3059-801d-80fd-e1748e510f18"},"created_time":"2025-10-24T11:40:00.000Z","last_edited_time":"2025-10-24T11:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"CORS (Cross-Origin Resource Sharing) is a browser feature that lets a website request resources (like data or files) from another domain, but only if that other domain allows it.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CORS (Cross-Origin Resource Sharing) is a browser feature that lets a website request resources (like data or files) from another domain, but only if that other domain allows it.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-802b-bb79-e8cad175ceac","parent":{"type":"block_id","block_id":"296dc9c5-3059-801d-80fd-e1748e510f18"},"created_time":"2025-10-24T11:40:00.000Z","last_edited_time":"2025-10-24T11:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"It’s an extension of the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It’s an extension of the ","href":null},{"type":"text","text":{"content":"Same-Origin Policy (SOP)","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same-Origin Policy (SOP)","href":null},{"type":"text","text":{"content":", which normally blocks such cross-domain requests for security reasons.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", which normally blocks such cross-domain requests for security reasons.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-809f-95ae-c2b0e7caa1ba","parent":{"type":"block_id","block_id":"296dc9c5-3059-801d-80fd-e1748e510f18"},"created_time":"2025-10-24T11:40:00.000Z","last_edited_time":"2026-04-05T16:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"CORS makes this restriction more flexible but if it’s ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CORS makes this restriction more flexible but if it’s ","href":null},{"type":"text","text":{"content":"misconfigured","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"misconfigured","href":null},{"type":"text","text":{"content":", it can accidentally allow attackers to make unauthorized cross-domain requests.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", it can accidentally allow attackers to make unauthorized cross-domain requests.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-8012-9c41-ee51b5f70855","parent":{"type":"block_id","block_id":"296dc9c5-3059-801d-80fd-e1748e510f18"},"created_time":"2025-10-24T11:40:00.000Z","last_edited_time":"2025-10-24T11:41:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Important:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Important:","href":null},{"type":"text","text":{"content":" CORS does ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" CORS does ","href":null},{"type":"text","text":{"content":"not","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"not","href":null},{"type":"text","text":{"content":" protect against CSRF or other cross-site attacks.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" protect against CSRF or other cross-site attacks.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"296dc9c5-3059-8029-898c-ee156b9bb471","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-24T11:42:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Same-origin policy","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same-origin policy","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"296dc9c5-3059-8036-bad2-e3aea0c59e1e","parent":{"type":"block_id","block_id":"296dc9c5-3059-8029-898c-ee156b9bb471"},"created_time":"2025-10-24T11:42:00.000Z","last_edited_time":"2025-10-24T11:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The ","href":null},{"type":"text","text":{"content":"Same-Origin Policy (SOP)","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same-Origin Policy (SOP)","href":null},{"type":"text","text":{"content":" is a browser security rule that stops websites from accessing data from other domains.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is a browser security rule that stops websites from accessing data from other domains.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-803b-af9e-cb65628ffd99","parent":{"type":"block_id","block_id":"296dc9c5-3059-8029-898c-ee156b9bb471"},"created_time":"2025-10-24T11:42:00.000Z","last_edited_time":"2025-10-24T11:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"It was created to prevent malicious sites from stealing private information from other websites.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It was created to prevent malicious sites from stealing private information from other websites.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-8024-a3d4-f221e7df19b4","parent":{"type":"block_id","block_id":"296dc9c5-3059-8029-898c-ee156b9bb471"},"created_time":"2025-10-24T11:42:00.000Z","last_edited_time":"2025-10-24T11:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In short:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In short:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-808b-b9a8-cac8034184f8","parent":{"type":"block_id","block_id":"296dc9c5-3059-8029-898c-ee156b9bb471"},"created_time":"2025-10-24T11:42:00.000Z","last_edited_time":"2025-10-24T11:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"A site ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"A site ","href":null},{"type":"text","text":{"content":"can send","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"can send","href":null},{"type":"text","text":{"content":" requests to other domains.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" requests to other domains.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-806c-b8f2-cdebcab65052","parent":{"type":"block_id","block_id":"296dc9c5-3059-8029-898c-ee156b9bb471"},"created_time":"2025-10-24T11:42:00.000Z","last_edited_time":"2025-10-24T11:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"But it ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"But it ","href":null},{"type":"text","text":{"content":"can’t read","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"can’t read","href":null},{"type":"text","text":{"content":" the responses unless both have the same origin (same domain, protocol, and port).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" the responses unless both have the same origin (same domain, protocol, and port).","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"296dc9c5-3059-805a-b817-d362365d631c","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-24T11:49:00.000Z","last_edited_time":"2025-10-24T11:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-24T11:46:00.000Z","last_edited_time":"2025-10-24T14:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"What is the Same-Origin Policy?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What is the Same-Origin Policy?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"296dc9c5-3059-80c9-9b7b-e0686968576e","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The ","href":null},{"type":"text","text":{"content":"Same-Origin Policy","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same-Origin Policy","href":null},{"type":"text","text":{"content":" prevents one website from accessing data from another website unless both have the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" prevents one website from accessing data from another website unless both have the ","href":null},{"type":"text","text":{"content":"same origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"same origin","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-80af-bce1-efc55791b635","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"An ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"An ","href":null},{"type":"text","text":{"content":"origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"origin","href":null},{"type":"text","text":{"content":" is made up of:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is made up of:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-80ab-8018-f754d04200f0","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Scheme (protocol):","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Scheme (protocol):","href":null},{"type":"text","text":{"content":" e.g., ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" e.g., ","href":null},{"type":"text","text":{"content":"http","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http","href":null},{"type":"text","text":{"content":" or ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or ","href":null},{"type":"text","text":{"content":"https","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https","href":null}],"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-80f6-859d-f8f184c61e26","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Domain (host):","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Domain (host):","href":null},{"type":"text","text":{"content":" e.g., ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" e.g., ","href":null},{"type":"text","text":{"content":"normal-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"normal-website.com","href":null}],"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-802a-8676-d52c462898b4","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Port number:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Port number:","href":null},{"type":"text","text":{"content":" e.g., ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" e.g., ","href":null},{"type":"text","text":{"content":"80","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"80","href":null},{"type":"text","text":{"content":" or ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or ","href":null},{"type":"text","text":{"content":"443","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"443","href":null}],"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-80af-a1ce-dc27955c5c95","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"So, for example:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"So, for example:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-80d4-aea1-e4f8d3b9175e","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"Origin = scheme + domain + port\n = http + normal-website.com + 80","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Origin = scheme + domain + port\n = http + normal-website.com + 80","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"296dc9c5-3059-805e-a3f7-f38f1d811b01","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T14:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"Example (http://normal-website.com:80)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example (http://normal-website.com:80)","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-8052-86bb-f7e3e30241b4","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T14:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"table","table":{"table_width":3,"has_column_header":true,"has_row_header":false},"archived":false,"children":[{"object":"block","id":"296dc9c5-3059-80cf-8b47-fa43220c0e40","parent":{"type":"block_id","block_id":"296dc9c5-3059-8052-86bb-f7e3e30241b4"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"URL accessed","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"URL accessed","href":null}],[{"type":"text","text":{"content":"Access permitted?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Access permitted?","href":null}],[{"type":"text","text":{"content":"Reason","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Reason","href":null}]]},"archived":false},{"object":"block","id":"296dc9c5-3059-8077-b327-fa4cf3c2c9c9","parent":{"type":"block_id","block_id":"296dc9c5-3059-8052-86bb-f7e3e30241b4"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"http://normal-website.com/example/","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://normal-website.com/example/","href":null}],[{"type":"text","text":{"content":"✅ Yes","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"✅ Yes","href":null}],[{"type":"text","text":{"content":"Same scheme, domain, and port","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same scheme, domain, and port","href":null}]]},"archived":false},{"object":"block","id":"296dc9c5-3059-8086-811c-f588a2da5f91","parent":{"type":"block_id","block_id":"296dc9c5-3059-8052-86bb-f7e3e30241b4"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"http://normal-website.com/example2/","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://normal-website.com/example2/","href":null}],[{"type":"text","text":{"content":"✅ Yes","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"✅ Yes","href":null}],[{"type":"text","text":{"content":"Same scheme, domain, and port","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same scheme, domain, and port","href":null}]]},"archived":false},{"object":"block","id":"296dc9c5-3059-80c7-a655-f644735477da","parent":{"type":"block_id","block_id":"296dc9c5-3059-8052-86bb-f7e3e30241b4"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"https://normal-website.com/example/","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://normal-website.com/example/","href":null}],[{"type":"text","text":{"content":"❌ No","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No","href":null}],[{"type":"text","text":{"content":"Different scheme (https vs http)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Different scheme (https vs http)","href":null}]]},"archived":false},{"object":"block","id":"296dc9c5-3059-8001-a310-c8e0954c8934","parent":{"type":"block_id","block_id":"296dc9c5-3059-8052-86bb-f7e3e30241b4"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"http://en.normal-website.com/example/","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://en.normal-website.com/example/","href":null}],[{"type":"text","text":{"content":"❌ No","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No","href":null}],[{"type":"text","text":{"content":"Different subdomain","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Different subdomain","href":null}]]},"archived":false},{"object":"block","id":"296dc9c5-3059-80d0-87d3-d1e062ffcb2c","parent":{"type":"block_id","block_id":"296dc9c5-3059-8052-86bb-f7e3e30241b4"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"http://www.normal-website.com/example/","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://www.normal-website.com/example/","href":null}],[{"type":"text","text":{"content":"❌ No","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No","href":null}],[{"type":"text","text":{"content":"Different subdomain","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Different subdomain","href":null}]]},"archived":false},{"object":"block","id":"296dc9c5-3059-80a2-8888-d13ae5e3c71d","parent":{"type":"block_id","block_id":"296dc9c5-3059-8052-86bb-f7e3e30241b4"},"created_time":"2025-10-24T11:47:00.000Z","last_edited_time":"2025-10-24T11:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"http://normal-website.com:8080/example/","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://normal-website.com:8080/example/","href":null}],[{"type":"text","text":{"content":"❌ No","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No","href":null}],[{"type":"text","text":{"content":"Different port","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Different port","href":null}]]},"archived":false}]},{"object":"block","id":"296dc9c5-3059-80b9-9343-e0e182f3c6d4","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a0a1-c77340bc1fa2"},"created_time":"2025-10-24T14:59:00.000Z","last_edited_time":"2025-10-24T14:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"296dc9c5-3059-801b-82b8-caea3492ae33","parent":{"type":"block_id","block_id":"296dc9c5-3059-80b9-9343-e0e182f3c6d4"},"created_time":"2025-10-24T14:59:00.000Z","last_edited_time":"2025-10-24T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Internet Explorer will allow this access cause it doesn’t take account of the port number when applying the same-origin policy.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Internet Explorer will allow this access cause it doesn’t take account of the port number when applying the same-origin policy.","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"296dc9c5-3059-801a-9998-dfeb4e99edc4","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-24T11:48:00.000Z","last_edited_time":"2025-10-24T15:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Why is it necessary?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Why is it necessary?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"296dc9c5-3059-8049-a6e2-cd7fc7cba31d","parent":{"type":"block_id","block_id":"296dc9c5-3059-801a-9998-dfeb4e99edc4"},"created_time":"2025-10-24T15:10:00.000Z","last_edited_time":"2025-10-24T15:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When a browser sends an HTTP request from one origin to another, any cookies, including authentication session cookies, relevant to the other domain are also sent as part of the request. This means that the response will be generated within the user's session, and include any relevant data that is specific to the user. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When a browser sends an HTTP request from one origin to another, any cookies, including authentication session cookies, relevant to the other domain are also sent as part of the request. This means that the response will be generated within the user's session, and include any relevant data that is specific to the user. ","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-80f6-a025-cfaf6bac64bf","parent":{"type":"block_id","block_id":"296dc9c5-3059-801a-9998-dfeb4e99edc4"},"created_time":"2025-10-24T15:10:00.000Z","last_edited_time":"2025-10-24T15:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Without the same-origin policy, if you visited a malicious website, it would be able to read your emails from GMail, private messages from Facebook, etc.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Without the same-origin policy, if you visited a malicious website, it would be able to read your emails from GMail, private messages from Facebook, etc.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"296dc9c5-3059-8014-a805-db1476aee88c","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-24T11:53:00.000Z","last_edited_time":"2025-10-24T15:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"How is the same-origin policy implemented?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How is the same-origin policy implemented?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"296dc9c5-3059-806c-a748-cc6fda1667b7","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a805-db1476aee88c"},"created_time":"2025-10-24T15:36:00.000Z","last_edited_time":"2025-10-24T15:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"The Default Rule: Block Cross-Origin Reading","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The Default Rule: Block Cross-Origin Reading","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-807f-aeec-f5cbeabda5cf","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a805-db1476aee88c"},"created_time":"2025-10-24T15:36:00.000Z","last_edited_time":"2025-10-24T15:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The browser's JavaScript engine is built to enforce SOP by default. When a script from ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The browser's JavaScript engine is built to enforce SOP by default. When a script from ","href":null},{"type":"text","text":{"content":"https://example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://example.com","href":null},{"type":"text","text":{"content":" tries to use ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" tries to use ","href":null},{"type":"text","text":{"content":"XMLHttpRequest","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"XMLHttpRequest","href":null},{"type":"text","text":{"content":" or the Fetch API to call ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or the Fetch API to call ","href":null},{"type":"text","text":{"content":"https://anotherdomain.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://anotherdomain.com","href":null},{"type":"text","text":{"content":", the browser will block the request and throw a security error. The script cannot read the response.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", the browser will block the request and throw a security error. The script cannot read the response.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-80ee-a238-c766f227cf8b","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a805-db1476aee88c"},"created_time":"2025-10-24T15:20:00.000Z","last_edited_time":"2025-10-24T15:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"Allowed Cross-Origin Embedding","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Allowed Cross-Origin Embedding","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-8088-aa75-da688e86c0bf","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a805-db1476aee88c"},"created_time":"2025-10-24T15:44:00.000Z","last_edited_time":"2025-10-24T15:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"SOP is not about preventing loads, but about preventing reading. The browser allows embedding resources from different origins using tags like:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SOP is not about preventing loads, but about preventing reading. The browser allows embedding resources from different origins using tags like:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-8033-ad75-dd58a17c19a0","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a805-db1476aee88c"},"created_time":"2025-10-24T15:44:00.000Z","last_edited_time":"2025-10-24T15:46:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"

","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"

","href":null}],"color":"default"},"archived":false},{"object":"block","id":"296dc9c5-3059-8079-82b4-c3e8ebbcbd51","parent":{"type":"block_id","block_id":"296dc9c5-3059-8014-a805-db1476aee88c"},"created_time":"2025-10-24T15:44:00.000Z","last_edited_time":"2025-10-24T15:46:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"\">","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"","href":null}],"language":"html"},"archived":false},{"object":"block","id":"297dc9c5-3059-808d-8913-d894c2040235","parent":{"type":"block_id","block_id":"297dc9c5-3059-80f3-a88d-e6b0c46f95a8"},"created_time":"2025-10-25T12:27:00.000Z","last_edited_time":"2025-10-25T12:27:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This technique abuses a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This technique abuses a ","href":null},{"type":"text","text":{"content":"null","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"null","href":null},{"type":"text","text":{"content":" whitelist to exfiltrate data.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" whitelist to exfiltrate data.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"297dc9c5-3059-80cf-a25c-f81993623c44","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-25T12:28:00.000Z","last_edited_time":"2025-10-25T12:29:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Exploiting XSS via CORS trust relationships","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Exploiting XSS via CORS trust relationships","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"297dc9c5-3059-8004-850f-c0fa3a5b6e6f","parent":{"type":"block_id","block_id":"297dc9c5-3059-80cf-a25c-f81993623c44"},"created_time":"2025-10-25T12:29:00.000Z","last_edited_time":"2025-10-25T12:29:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When one origin trusts another via CORS, that creates a trust relationship. If the trusted origin has an XSS bug, an attacker can inject JavaScript there that uses CORS to read sensitive data from the trusting site.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When one origin trusts another via CORS, that creates a trust relationship. If the trusted origin has an XSS bug, an attacker can inject JavaScript there that uses CORS to read sensitive data from the trusting site.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-801e-9608-e67c7f0d3a72","parent":{"type":"block_id","block_id":"297dc9c5-3059-80cf-a25c-f81993623c44"},"created_time":"2025-10-25T12:29:00.000Z","last_edited_time":"2025-10-25T12:29:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Example request from the trusted origin:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example request from the trusted origin:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80e6-b6b1-ec15a4642584","parent":{"type":"block_id","block_id":"297dc9c5-3059-80cf-a25c-f81993623c44"},"created_time":"2025-10-25T12:29:00.000Z","last_edited_time":"2025-10-25T12:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"GET /api/requestApiKey HTTP/1.1\nHost: vulnerable-website.com\nOrigin: https://subdomain.vulnerable-website.com\nCookie: sessionid=...","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET /api/requestApiKey HTTP/1.1\nHost: vulnerable-website.com\nOrigin: https://subdomain.vulnerable-website.com\nCookie: sessionid=...","href":null}],"language":"makefile"},"archived":false},{"object":"block","id":"297dc9c5-3059-8004-82cc-c723159f56b8","parent":{"type":"block_id","block_id":"297dc9c5-3059-80cf-a25c-f81993623c44"},"created_time":"2025-10-25T12:29:00.000Z","last_edited_time":"2025-10-25T12:29:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the server replies:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the server replies:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8061-89c0-e619990cab41","parent":{"type":"block_id","block_id":"297dc9c5-3059-80cf-a25c-f81993623c44"},"created_time":"2025-10-25T12:29:00.000Z","last_edited_time":"2025-10-25T12:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: https://subdomain.vulnerable-website.com\nAccess-Control-Allow-Credentials: true","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: https://subdomain.vulnerable-website.com\nAccess-Control-Allow-Credentials: true","href":null}],"language":"yaml"},"archived":false},{"object":"block","id":"297dc9c5-3059-80a6-b38f-c75aef1a5591","parent":{"type":"block_id","block_id":"297dc9c5-3059-80cf-a25c-f81993623c44"},"created_time":"2025-10-25T12:29:00.000Z","last_edited_time":"2025-10-25T12:29:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Then an attacker who finds XSS on ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Then an attacker who finds XSS on ","href":null},{"type":"text","text":{"content":"subdomain.vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"subdomain.vulnerable-website.com","href":null},{"type":"text","text":{"content":" can run injected JS that makes the above request (with credentials) and reads the API key, for example by visiting:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" can run injected JS that makes the above request (with credentials) and reads the API key, for example by visiting:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80cd-983b-df5f927dafb5","parent":{"type":"block_id","block_id":"297dc9c5-3059-80cf-a25c-f81993623c44"},"created_time":"2025-10-25T12:29:00.000Z","last_edited_time":"2025-10-25T12:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://subdomain.vulnerable-website.com/?xss=","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://subdomain.vulnerable-website.com/?xss=","href":null}],"language":"php"},"archived":false}]},{"object":"block","id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-25T17:38:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Breaking TLS with poorly configured CORS","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Breaking TLS with poorly configured CORS","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"297dc9c5-3059-8014-aaa0-c977cfb91722","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T17:40:00.000Z","last_edited_time":"2025-10-25T17:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If a site enforces HTTPS but whitelists a trusted subdomain that uses plain HTTP, an attacker who can intercept traffic can abuse that CORS setup to steal data.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If a site enforces HTTPS but whitelists a trusted subdomain that uses plain HTTP, an attacker who can intercept traffic can abuse that CORS setup to steal data.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8070-9470-f0c96288cbb8","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T17:40:00.000Z","last_edited_time":"2025-10-25T17:41:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"GET /api/requestApiKey HTTP/1.1\nHost: vulnerable-website.com\nOrigin: http://trusted-subdomain.vulnerable-website.com\nCookie: sessionid=...","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET /api/requestApiKey HTTP/1.1\nHost: vulnerable-website.com\nOrigin: http://trusted-subdomain.vulnerable-website.com\nCookie: sessionid=...","href":null}],"language":"yaml"},"archived":false},{"object":"block","id":"297dc9c5-3059-8008-b86a-e474744cab11","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T17:40:00.000Z","last_edited_time":"2025-10-25T17:41:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: http://trusted-subdomain.vulnerable-website.com\nAccess-Control-Allow-Credentials: true","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: http://trusted-subdomain.vulnerable-website.com\nAccess-Control-Allow-Credentials: true","href":null}],"language":"yaml"},"archived":false},{"object":"block","id":"297dc9c5-3059-803f-8866-feb261c83946","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T17:40:00.000Z","last_edited_time":"2025-10-25T17:46:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The attack flow:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The attack flow:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-800b-97e6-d7edd4b557d0","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 1: The Victim Makes an Initial HTTP Request","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 1: The Victim Makes an Initial HTTP Request","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8044-83aa-f7a86a5b6adf","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This could be anything: trying to visit any HTTP website, a poorly configured app, or even a network-level request. The critical point is that the victim's traffic is going over an insecure channel (e.g., a public Wi-Fi) where an attacker can listen and modify traffic.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This could be anything: trying to visit any HTTP website, a poorly configured app, or even a network-level request. The critical point is that the victim's traffic is going over an insecure channel (e.g., a public Wi-Fi) where an attacker can listen and modify traffic.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80cb-8b8f-c7a510dc1cae","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 2: Attacker Injects a Redirect","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 2: Attacker Injects a Redirect","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80c3-8fc9-fe07a0fa3114","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The attacker, who is intercepting the traffic (MitM), sees this initial plain HTTP request. They modify the response, injecting a redirect (e.g., an HTTP 302 status code or a meta refresh tag) pointing to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The attacker, who is intercepting the traffic (MitM), sees this initial plain HTTP request. They modify the response, injecting a redirect (e.g., an HTTP 302 status code or a meta refresh tag) pointing to ","href":null},{"type":"text","text":{"content":"http://trusted-subdomain.vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://trusted-subdomain.vulnerable-website.com","href":null},{"type":"text","text":{"content":". The browser automatically follows this redirect.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". The browser automatically follows this redirect.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-801b-9cb9-f376fc1b2551","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 3 & 4: Attacker Serves a Spoofed Page from the Trusted Subdomain","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 3 & 4: Attacker Serves a Spoofed Page from the Trusted Subdomain","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80fc-92a5-e3fc891cad7c","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The victim's browser now tries to load the insecure subdomain. The attacker intercepts ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The victim's browser now tries to load the insecure subdomain. The attacker intercepts ","href":null},{"type":"text","text":{"content":"this request as well","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this request as well","href":null},{"type":"text","text":{"content":". Instead of allowing it to reach the real subdomain, the attacker responds with their own maliciously crafted HTML/JavaScript page. This spoofed page contains code that makes a cross-origin request to the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". Instead of allowing it to reach the real subdomain, the attacker responds with their own maliciously crafted HTML/JavaScript page. This spoofed page contains code that makes a cross-origin request to the ","href":null},{"type":"text","text":{"content":"main, secure website","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"main, secure website","href":null},{"type":"text","text":{"content":" (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (","href":null},{"type":"text","text":{"content":"https://vulnerable-website.com/api/requestApiKey","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://vulnerable-website.com/api/requestApiKey","href":null},{"type":"text","text":{"content":").","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":").","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80ea-87f5-d5603085143d","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 5: The Browser Makes the CORS Request","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 5: The Browser Makes the CORS Request","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8033-8a41-ccf8eaa64cc4","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The victim's browser loads the attacker's spoofed page and executes the JavaScript. It makes a request to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The victim's browser loads the attacker's spoofed page and executes the JavaScript. It makes a request to ","href":null},{"type":"text","text":{"content":"https://vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://vulnerable-website.com","href":null},{"type":"text","text":{"content":". Because this is a cross-origin request, the browser automatically adds an ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". Because this is a cross-origin request, the browser automatically adds an ","href":null},{"type":"text","text":{"content":"Origin","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Origin","href":null},{"type":"text","text":{"content":" header with the value ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" header with the value ","href":null},{"type":"text","text":{"content":"http://trusted-subdomain.vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://trusted-subdomain.vulnerable-website.com","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8019-93db-da9e0ed2935d","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Important:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Important:","href":null},{"type":"text","text":{"content":" The browser is making a secure (HTTPS) request to the main site, and it includes the user's cookies (marked as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" The browser is making a secure (HTTPS) request to the main site, and it includes the user's cookies (marked as ","href":null},{"type":"text","text":{"content":"Secure","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Secure","href":null},{"type":"text","text":{"content":") automatically.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":") automatically.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-809f-850a-d42ece2267c2","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 6: The Main Website Approves the Request","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 6: The Main Website Approves the Request","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8069-b5f1-d355ef2820cd","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The main website (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The main website (","href":null},{"type":"text","text":{"content":"https://vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://vulnerable-website.com","href":null},{"type":"text","text":{"content":") receives the request.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":") receives the request.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8049-b49b-de24ff793206","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"It checks the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It checks the ","href":null},{"type":"text","text":{"content":"Origin","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Origin","href":null},{"type":"text","text":{"content":" header.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" header.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8041-bea3-d176bb57746e","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"It sees ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It sees ","href":null},{"type":"text","text":{"content":"http://trusted-subdomain.vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://trusted-subdomain.vulnerable-website.com","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8036-80ae-e69ea1c149b9","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Its CORS policy explicitly whitelists this origin.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Its CORS policy explicitly whitelists this origin.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80ba-a488-ef6420964478","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Therefore, it responds with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Therefore, it responds with ","href":null},{"type":"text","text":{"content":"Access-Control-Allow-Origin: http://trusted-subdomain.vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Access-Control-Allow-Origin: http://trusted-subdomain.vulnerable-website.com","href":null},{"type":"text","text":{"content":" and ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" and ","href":null},{"type":"text","text":{"content":"Access-Control-Allow-Credentials: true","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Access-Control-Allow-Credentials: true","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80c4-a476-dbd566cf0894","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"It also includes the sensitive data (e.g., the user's API key) in the response body.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It also includes the sensitive data (e.g., the user's API key) in the response body.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8023-a7ab-d13e87f79916","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 7: The Attacker Steals the Data","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 7: The Attacker Steals the Data","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80b7-a484-cf92a795336a","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T20:40:00.000Z","last_edited_time":"2025-10-25T20:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Because the main website responded with the correct ACAO header, the browser's SOP/CORS check passes. It allows the attacker's spoofed page (which came from ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Because the main website responded with the correct ACAO header, the browser's SOP/CORS check passes. It allows the attacker's spoofed page (which came from ","href":null},{"type":"text","text":{"content":"http://trusted-subdomain.vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://trusted-subdomain.vulnerable-website.com","href":null},{"type":"text","text":{"content":") to read the full, sensitive response from ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":") to read the full, sensitive response from ","href":null},{"type":"text","text":{"content":"https://vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://vulnerable-website.com","href":null},{"type":"text","text":{"content":". The malicious JavaScript in the spoofed page can now read this data and send it off to a server controlled by the attacker.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". The malicious JavaScript in the spoofed page can now read this data and send it off to a server controlled by the attacker.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8054-aeab-fb527fe9358b","parent":{"type":"block_id","block_id":"297dc9c5-3059-80d0-b4b1-efc51d37ee8a"},"created_time":"2025-10-25T17:40:00.000Z","last_edited_time":"2025-10-25T17:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This works even if the main site otherwise uses HTTPS and marks cookies as Secure, because the attacker exploited the trusted HTTP origin in the CORS policy.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This works even if the main site otherwise uses HTTPS and marks cookies as Secure, because the attacker exploited the trusted HTTP origin in the CORS policy.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"297dc9c5-3059-8036-8158-c1f54c7b7494","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-25T17:48:00.000Z","last_edited_time":"2025-10-25T17:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Intranets and CORS without credentials","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Intranets and CORS without credentials","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"297dc9c5-3059-805c-a461-edb46edfce68","parent":{"type":"block_id","block_id":"297dc9c5-3059-8036-8158-c1f54c7b7494"},"created_time":"2025-10-25T17:49:00.000Z","last_edited_time":"2025-10-25T17:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Most CORS attacks need the header ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Most CORS attacks need the header ","href":null},{"type":"text","text":{"content":"Access-Control-Allow-Credentials: true","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Access-Control-Allow-Credentials: true","href":null},{"type":"text","text":{"content":". Without it, the browser won't send the victim’s cookies, so an attacker can only read public, unauthenticated data — which they could open directly anyway.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". Without it, the browser won't send the victim’s cookies, so an attacker can only read public, unauthenticated data — which they could open directly anyway.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-802e-adda-c812c6123cb3","parent":{"type":"block_id","block_id":"297dc9c5-3059-8036-8158-c1f54c7b7494"},"created_time":"2025-10-25T17:49:00.000Z","last_edited_time":"2025-10-25T17:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"But there’s an exception for intranet sites on private IP ranges. Those internal sites are often less hardened and not directly reachable from the internet. A public site can still make cross-origin requests from a user’s browser to those internal resources, even without credentials:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"But there’s an exception for intranet sites on private IP ranges. Those internal sites are often less hardened and not directly reachable from the internet. A public site can still make cross-origin requests from a user’s browser to those internal resources, even without credentials:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8014-b12b-f6f4afd5c295","parent":{"type":"block_id","block_id":"297dc9c5-3059-8036-8158-c1f54c7b7494"},"created_time":"2025-10-25T17:49:00.000Z","last_edited_time":"2025-10-25T17:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"GET /reader?url=doc1.pdf\nHost: intranet.normal-website.com\nOrigin: https://normal-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET /reader?url=doc1.pdf\nHost: intranet.normal-website.com\nOrigin: https://normal-website.com","href":null}],"language":"yaml"},"archived":false},{"object":"block","id":"297dc9c5-3059-808e-8b10-faa8470a34d8","parent":{"type":"block_id","block_id":"297dc9c5-3059-8036-8158-c1f54c7b7494"},"created_time":"2025-10-25T17:49:00.000Z","last_edited_time":"2025-10-25T17:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the intranet server replies permissively:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the intranet server replies permissively:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80fc-bd32-c94ff1c5beed","parent":{"type":"block_id","block_id":"297dc9c5-3059-8036-8158-c1f54c7b7494"},"created_time":"2025-10-25T17:49:00.000Z","last_edited_time":"2025-10-25T17:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: *","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"HTTP/1.1 200 OK\nAccess-Control-Allow-Origin: *","href":null}],"language":"yaml"},"archived":false},{"object":"block","id":"297dc9c5-3059-802f-8e9f-dff8f5baff80","parent":{"type":"block_id","block_id":"297dc9c5-3059-8036-8158-c1f54c7b7494"},"created_time":"2025-10-25T17:49:00.000Z","last_edited_time":"2025-10-25T17:49:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"then any external page visited by an internal user can cause the browser to fetch intranet resources and expose their contents to the attacker — effectively using the user’s browser as a proxy to access internal-only sites.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"then any external page visited by an internal user can cause the browser to fetch intranet resources and expose their contents to the attacker — effectively using the user’s browser as a proxy to access internal-only sites.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"297dc9c5-3059-8012-aeb8-e08a42f27d0a","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-25T12:34:00.000Z","last_edited_time":"2025-10-25T12:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"297dc9c5-3059-801d-9014-fceee63317be","parent":{"type":"page_id","page_id":"296dc9c5-3059-80d7-b583-d0501378040b"},"created_time":"2025-10-25T12:34:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Preventing","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Preventing","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"297dc9c5-3059-80c9-a574-e1ab1506ef83","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"CORS attacks usually happen because of ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CORS attacks usually happen because of ","href":null},{"type":"text","text":{"content":"misconfigurations","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"misconfigurations","href":null},{"type":"text","text":{"content":", so prevention is about setting it up correctly.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", so prevention is about setting it up correctly.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-803e-b859-db41f70854ef","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"297dc9c5-3059-8089-bda7-e3fe9d7708c6","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"1. Proper configuration of cross-origin requests","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"1. Proper configuration of cross-origin requests","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8005-a0ce-ea06ec91ba9b","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If a resource contains sensitive data, make sure the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If a resource contains sensitive data, make sure the ","href":null},{"type":"text","text":{"content":"Access-Control-Allow-Origin","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Access-Control-Allow-Origin","href":null},{"type":"text","text":{"content":" header ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" header ","href":null},{"type":"text","text":{"content":"explicitly specifies","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"explicitly specifies","href":null},{"type":"text","text":{"content":" the trusted origin — don’t leave it open or dynamic.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" the trusted origin — don’t leave it open or dynamic.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8060-ba41-d9f9129524a3","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"297dc9c5-3059-80a1-a15f-cb2c164fa36d","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"2. Only allow trusted sites","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"2. Only allow trusted sites","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80f1-a88c-f4886dbe4e22","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Allow only ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Allow only ","href":null},{"type":"text","text":{"content":"known, trusted origins","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"known, trusted origins","href":null},{"type":"text","text":{"content":" in the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" in the ","href":null},{"type":"text","text":{"content":"Access-Control-Allow-Origin","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Access-Control-Allow-Origin","href":null},{"type":"text","text":{"content":" header.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" header.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80d2-a37a-ecab559e9fa3","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"⚠️ Never reflect the Origin header from incoming requests — this can be exploited easily.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"⚠️ Never reflect the Origin header from incoming requests — this can be exploited easily.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8014-aa49-cd6498f5cc6b","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"297dc9c5-3059-80ac-960f-e76ce16e204b","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"3. Avoid whitelisting ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"3. Avoid whitelisting ","href":null},{"type":"text","text":{"content":"null","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"null","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8023-b650-f51537986784","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Don’t use ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Don’t use ","href":null},{"type":"text","text":{"content":"Access-Control-Allow-Origin: null","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Access-Control-Allow-Origin: null","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80a1-8cb0-e63264ffaba3","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Browsers can send ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Browsers can send ","href":null},{"type":"text","text":{"content":"null","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"null","href":null},{"type":"text","text":{"content":" for sandboxed or local file requests, which attackers can abuse.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" for sandboxed or local file requests, which attackers can abuse.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80f5-b4d6-e02980962529","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"297dc9c5-3059-8076-8f50-d28a928e3686","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"4. Avoid wildcards on internal networks","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"4. Avoid wildcards on internal networks","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-804a-a3e8-fad2051f21cd","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Don’t use ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Don’t use ","href":null},{"type":"text","text":{"content":"Access-Control-Allow-Origin: *","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Access-Control-Allow-Origin: *","href":null},{"type":"text","text":{"content":" for internal or private servers.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" for internal or private servers.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-808e-8fcd-f29e773d3be0","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Internal browsers can still access external, malicious sites that might exploit this.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Internal browsers can still access external, malicious sites that might exploit this.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80c5-9aa8-f1b0f86b2e2a","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"297dc9c5-3059-804f-914e-e357e60c1d3e","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"5. CORS ≠ Security","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"5. CORS ≠ Security","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8032-8fb9-dcf290a459b1","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"CORS only controls ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CORS only controls ","href":null},{"type":"text","text":{"content":"browser behavior","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"browser behavior","href":null},{"type":"text","text":{"content":" — it’s ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" — it’s ","href":null},{"type":"text","text":{"content":"not a security layer","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"not a security layer","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8042-9615-e00addcd36ac","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Servers must still protect sensitive data using:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Servers must still protect sensitive data using:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-8094-a1ad-fc67523c7313","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Authentication","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Authentication","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-806a-a684-f70662bfff54","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Authorization","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Authorization","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-80a8-bfb4-d79ecc341c2d","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Session management","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Session management","href":null}],"color":"default"},"archived":false},{"object":"block","id":"297dc9c5-3059-801f-85ab-d5dbb9157359","parent":{"type":"block_id","block_id":"297dc9c5-3059-801d-9014-fceee63317be"},"created_time":"2025-10-25T12:35:00.000Z","last_edited_time":"2025-10-25T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Even with CORS, attackers can send direct requests to the server if these protections are weak.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Even with CORS, attackers can send direct requests to the server if these protections are weak.","href":null}],"icon":null,"color":"default"},"archived":false}]}],"title":"Cross-origin resource sharing (CORS)"}]

Cross-origin resource sharing (CORS)

What is CORS (cross-origin resource sharing)?

Same-origin policy

What is the Same-Origin Policy?

Why is it necessary?

How is the same-origin policy implemented?

Relaxation of the Same-Origin Policy

CORS and the Access-Control-Allow-Origin response header

What is the Access-Control-Allow-Origin response header?

Implementing simple cross-origin resource sharing

Handling cross-origin resource requests with credentials

Relaxation of CORS specifications with wildcards

Pre-flight checks

Does CORS protect against CSRF?

Vulnerabilities

Server-generated ACAO header from client-specified Origin header

Errors parsing Origin headers

Whitelisted null origin value

Exploiting XSS via CORS trust relationships

Breaking TLS with poorly configured CORS

Intranets and CORS without credentials

Preventing