- From: Osintopsec <notifications@github.com>
- Date: Fri, 04 Jan 2019 16:16:37 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 5 January 2019 00:16:59 UTC
> I only see a risk if the server expects CORS to be more authoritative. I actually run into this while doing a pentest and thought this is some odd behaviour - eventually used it to chain a CSRF to run the victim into a XSS. Of course this behaviour (setting the cookie) is achievable by other means also, form-elements and such, but fetch needs a lot less space for the payload. Is there anything I can help you guys with from here on? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/855#issuecomment-451607260
Received on Saturday, 5 January 2019 00:16:59 UTC