Four examples (all uncredentialed requests):
Let’s say image.com is varying responses based on Accept
. Permissive CORS/CORP might allow embedder.com to detect whether the user is sending a different Accept
to it vs image.com. If embeder.com has some understanding of image.com’s delivery logic, it also allows embedder.com to tell something about the Accept
value that was sent to image.com. That seems… innocuous? ACAO:*
and CORP:cross-origin
are probably OK here. But I’m not 100% sure.
Now, let’s say image.com is doing some kind of A/B test, and sending different responses randomly based on IP. That (+ read permissions) allows embedder.com to determine whether or not it got a different IP address from the user than image.com. This feels worse to me than the first case… like it could work against privacy protections the user is trying to employ against embedder.com. IPs are more unique than Accept, so, especially with lots of A/B buckets, this feels like maybe a fingerprinting risk. Also IP is tied t