> Only the janitor's department calling in can dial that sequence
Is this the case though? Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed? Like, the entries in /etc/hosts are not magically scoped to work just on Adobe's web, no?
> Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed?
That is specifically what I was talking about.
> (Because it seems Adobe's server serving the analytics image checks the request origin and only serves the image if the origin is Adobe's own website.)
It's additional complexity on the server side, per a Reddit comment on the topic: https://old.reddit.com/r/webdev/comments/1sb6hzk/adobe_wrote... The example curl commands given seemed convincing to me, although they also demonstrate that you can fake the origin pretty easily on the client side.
I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted
Timing attack on the preflight.
You really think a server-controlled CORS list will protect you from a client-side configuration issue?