I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted
replyTiming attack on the preflight.
replyYou really think a server-controlled CORS list will protect you from a client-side configuration issue?
reply