Definitely for browser extensions. It's become more difficult with needing to se... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		progmetaldev on June 25, 2024 \| parent \| context \| favorite \| on: Polyfill supply chain attack hits 100K+ sites Definitely for browser extensions. It's become more difficult with needing to set up CORS, but like with most things that are difficult, you end up with developers that "open the floodgates" and allow as much as possible to get the job done without understanding the implications.

bawolff on June 26, 2024 [–]

CORS is not required to run third party scripts. Cors is about reading data from third parties not executing scripts from third parties.

(Unless you set a Cross-Origin Resource Policy header, but that is fairly obscure)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact