Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

4
  • 14
    So, if I might summarize: a browser client could act as an intermediary to help a malicious server reach some destination resource R, normally accessible to only you. Normally, we consider the case where R is protected by a cookie-based auth token system, but you present a situation in which R is protected by network topology instead. The OP's imagined browser (which always assumes A-C-A-O:*) would violate network-topology-based protection.
    – apsillers
    Commented Oct 18, 2013 at 15:41
  • @apsillers Yes, that sums up my answer nicely.
    – SilverlightFox
    Commented Oct 18, 2013 at 15:50
  • 2
    There are also other services that use IP address ranges to restrict access (such as academic publishers which control access to content using university IP address ranges). If anonymous cross-domain requests were allowed everywhere, any web page could fetch and read that content if the client is within the range of allowed IP addresses.
    – Alf Eaton
    Commented Jul 30, 2014 at 13:19
  • 1
    You can read about Clickjacking to understand a different possibility of exploitation. :)
    – Anonymous Platypus
    Commented Dec 10, 2015 at 7:01