Cross-Origin Resource Sharing (CORS) - am I missing something here?

Question

I was reading about CORS and I think the implementation is both simple and effective.

However, unless I\'m missing something, I think there\'s a big part missing from th

Answer 1

But what if malicious code on the page wants to POST a user's sensitive information to a foreign site?

What about it? You can already do that without CORS. Even back as far as Netscape 2, you have always been able to transfer information to any third-party site through simple GET and POST requests caused by interfaces as simple as form.submit(), new Image or setting window.location.

If malicious code has access to sensitive information, you have already totally lost.

3) Page wants to make an XHR request to malicious.com - request rejected locally

Why would a page try to make an XHR request to a site it has not already whitelisted?

If you are trying to protect against the actions of malicious script injected due to XSS vulnerabilities, you are attempting to fix the symptom, not the cause.