Zoom, CORS, and the Web-CSS Tutorial-php.cn

Home

Web Front-end

CSS Tutorial

Zoom, CORS, and the Web

Christopher Nolan

Apr 18, 2025 am 09:35 AM

Zoom, CORS, and the Web

The recent major Zoom vulnerability, ironically, stemmed from web technologies rather than the app itself. This highlights the complexities of integrating web and native app components.

The issue revolves around custom protocols (like gittower:// or dropbox://) and how native apps register them to handle specific URLs. While effective in directly launching apps, they offer no user choice. To provide this choice, developers often use standard URLs instead.

Many apps achieve native app interaction from a webpage by using a localhost server on the user's machine, communicating via a URL scheme. This approach, while clever, raises concerns:

Users may be unaware of the running localhost server.
The ability of external websites to communicate with a localhost server feels intrusive.

However, safeguards exist, primarily CORS (Cross-Origin Resource Sharing). CORS prevents unauthorized cross-domain XHR requests, a crucial security measure. It's not a replacement for the browser's same-origin policy, but rather a mechanism to control cross-origin access. A website attempting to communicate with another website will fail unless the response includes an Access-Control-Allow-Origin header matching the requesting domain or using a wildcard (*). Importantly, this restriction doesn't apply to all resources; images, for instance, are exempt.

According to Chris Foster, a misunderstanding of CORS was central to the Zoom vulnerability. To bypass CORS restrictions on AJAX requests, Zoom allegedly employed an image-based workaround. This inadvertently created a significant vulnerability, allowing any website to trigger actions within the native client and access its responses.

Nicolas Bailly's article, "What you should know about CORS," clarifies the often-misunderstood nature of CORS: it's not a security measure itself but a way to bypass the same-origin policy, which is the primary security mechanism.

The above is the detailed content of Zoom, CORS, and the Web. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks ago By DDD

How to fix KB5055523 fails to install in Windows 11?

2 weeks ago By DDD

InZoi: How To Apply To School And University

4 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

2 weeks ago By DDD

Where to find the Site Office Key in Atomfall

4 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7870

Java Tutorial

1649

CakePHP Tutorial

1407

Laravel Tutorial

1301

PHP Tutorial

1244

Related knowledge

Vue 3 Apr 02, 2025 pm 06:32 PM

It's out! Congrats to the Vue team for getting it done, I know it was a massive effort and a long time coming. All new docs, as well.

Can you get valid CSS property values from the browser? Apr 02, 2025 pm 06:17 PM

I had someone write in with this very legit question. Lea just blogged about how you can get valid CSS properties themselves from the browser. That's like this.

A bit on ci/cd Apr 02, 2025 pm 06:21 PM

I'd say "website" fits better than "mobile app" but I like this framing from Max Lynch:

Stacked Cards with Sticky Positioning and a Dash of Sass Apr 03, 2025 am 10:30 AM

The other day, I spotted this particularly lovely bit from Corey Ginnivan’s website where a collection of cards stack on top of one another as you scroll.

Using Markdown and Localization in the WordPress Block Editor Apr 02, 2025 am 04:27 AM

If we need to show documentation to the user directly in the WordPress editor, what is the best way to do it?

Comparing Browsers for Responsive Design Apr 02, 2025 pm 06:25 PM

There are a number of these desktop apps where the goal is showing your site at different dimensions all at the same time. So you can, for example, be writing

How to Use CSS Grid for Sticky Headers and Footers Apr 02, 2025 pm 06:29 PM

CSS Grid is a collection of properties designed to make layout easier than it’s ever been. Like anything, there's a bit of a learning curve, but Grid is

Why are the purple slashed areas in the Flex layout mistakenly considered 'overflow space'? Apr 05, 2025 pm 05:51 PM

Questions about purple slash areas in Flex layouts When using Flex layouts, you may encounter some confusing phenomena, such as in the developer tools (d...

See all articles