I think cors can prevent that. You can't make a cross origin request from an origin that isn't allowlisted
Timing attack on the preflight.
You really think a server-controlled CORS list will protect you from a client-side configuration issue?
Timing attack on the preflight.
You really think a server-controlled CORS list will protect you from a client-side configuration issue?