Developers who learn about CORS: "I don't want to learn about CORS, I want my thing to work!" When you learn that CORS exists, it makes no sense. I read about 10 StackOverflow posts about it and 3 articles, and I still didn't understand it. I think it was the 3rd time that I had to deal with it I finally understood that it really doesn't fit my mental model of web security.
So, can the hacked process access cookies of another origin? I would guess not, so whatever it does doesn't seem too bad ... both CORB and CORP sound useless? What is special about browsers? Cannot the attacker just do that irrespective of a browser? - The point of a browser exploit is, you got inside the local network where I can make requests to servers that think they are behind a wall... - All "secret images" should require Authorization + Authentication anyway, so it's irrelevant some process can make requests, if it doesn't have any secret tokens. - What am I not getting?