Hello list While we are still at CORS - could we have something like a reverse CORS - that means a original server should explicitly allow a scripts loaded from external domain.
Having only CORS does prevent the data from being hijacked / information being sent to another domain. Example - If an attacker owns a domain to which the information is passed, the domain could as well respond with complete set of required headers and receive the information (or an attacker could do a simple GET request and post the cookie / other values and steal the information. The idea is to work on something on levels of reverse CORS. Which means if an attacker has modified the page to include a JS file within the site - the browser would check the parent server from which the page has loaded to check if it can load scripts from that domain - something like a reverse verification. (which the browser validates from parent domain). Does that make sense. Is there an alternative already? regards Phani Lanka
