(no title)
smagin | 1 year ago
Another question, does this work with https?
And the third one, if this was the thing some dishonest governments or vpn providers would do this already. Would be cool to read on that (genuinely, not implying this never happened)
cies|1 year ago
Not necessarily. Maybe this is not called MITM, but you have to put something in the middle :)
> Another question, does this work with https?
Sure.
> And the third one, if this was the thing some dishonest governments or vpn providers would do this already.
You are confused what this attack is about. Say I want to embed some widget on my website by which I can receive payments. I have to register my websites domain (technically protocol+domain(+port), aka origin) with the widget's provider. CORS is then used to make sure no-one can embed the widget, but those with registered origins.
Only browsers are known to enforce CORS (do the checks AND provide the correct origin when doing the checks). Hence the MITM attack I propose works: the MITM does NOT give the correct origin to the real server.