I believe this should be exploitable in a typical MiTM scenario, especially if you don't use HSTS headers (also no need to downgrade as it's in HTTP anyways) -- a typical DNS spoofing attack can make a victim's IP of the same local network as localhost:8888 navigation leading to believe it's you and responding with the CORS response. -- I really don't see why you need a site with this kind of CORS response header
shinkurt
- 21
- 2