> Many (most?) developers don't really understand the threat model.
It’s because CORS builds on a very odd base permission model. So if you use multipart form data, okay. But application JavaScript bad.
> Many (most?) developers don't really understand the threat model.
It’s because CORS builds on a very odd base permission model. So if you use multipart form data, okay. But application JavaScript bad.