upvote

points

by Terr_3 hours ago |
comments
upvoteby jacobgkau3 hours ago|
next
[-]
To be fair, your analogy has one flaw:

> 3. After the change, any external caller can dial a certain sequence to get a message of "Yes, this office was serviced by Adobe Janitorial!"

Theoretically, it's not "any external caller." Only the janitor's department calling in can dial that sequence and get "Yes, you serviced this office!" If anyone else tries to dial the extension, the desk-phone pretends it doesn't know what it means. (Because it seems Adobe's server serving the analytics image checks the request origin and only serves the image if the origin is Adobe's own website.)

The origin "security" doesn't excuse the complexity and the potential for both exploits and human-error breakage in the future.

reply
upvoteby gray_-_wolf2 hours ago|
parent|
[-]
> Only the janitor's department calling in can dial that sequence

Is this the case though? Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed? Like, the entries in /etc/hosts are not magically scoped to work just on Adobe's web, no?

reply
upvoteby bastawhiz2 hours ago|
parent|
[-]
I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted
reply
upvoteby 1515525 minutes ago|
parent|
next
[-]
Timing attack on the preflight.
reply
upvoteby inetknght41 minutes ago|
parent|
prev|
[-]
You really think a server-controlled CORS list will protect you from a client-side configuration issue?
reply
upvoteby charcircuit2 hours ago|
prev|
[-]
It's more like when you join a company the laptop is given the ability to connect to an internal network for employees.

This is an extremely common practice.

reply