{"id":293102,"date":"2019-07-23T07:39:42","date_gmt":"2019-07-23T14:39:42","guid":{"rendered":"https:\/\/css-tricks.com\/?p=293102"},"modified":"2019-07-23T07:39:42","modified_gmt":"2019-07-23T14:39:42","slug":"zoom-cors-and-the-web","status":"publish","type":"post","link":"https:\/\/css-tricks.com\/zoom-cors-and-the-web\/","title":{"rendered":"Zoom, CORS, and the Web"},"content":{"rendered":"<p>It&#8217;s sorta sad by funny that <a href=\"https:\/\/medium.com\/bugbountywriteup\/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5\" rel=\"noopener\">that big Zoom vulnerability thing<\/a> was ultimately related to web technology and not really the app itself. <\/p>\n<p>There is this idea of <a href=\"https:\/\/css-tricks.com\/create-url-scheme\/\">custom protocols or &#8220;<abbr>URL<\/abbr> schemes.&#8221;<\/a> So, like <code>gittower:\/\/<\/code> or <code>dropbox:\/\/<\/code> or whatever. A native app can register them, then <abbr>URL<\/abbr>s that hit them get passed to the native app. <abbr>iOS<\/abbr> has <a href=\"https:\/\/developer.apple.com\/ios\/universal-links\/\" rel=\"noopener\">&#8220;universal links&#8221;<\/a> which are <a href=\"https:\/\/mjtsai.com\/blog\/2019\/07\/12\/sfuniversallink\/\" rel=\"noopener\">coming to the web<\/a> apparently. (Atishay Jain has an <a href=\"https:\/\/css-tricks.com\/hyperlinking-beyond-the-web\/\">excellent write-up on them<\/a>.) But links like that don&#8217;t leave much choice &mdash; they <em>will<\/em> open in the app. If your app has both web and native components, you might want to offer the user a choice. So, you use a regular <abbr>URL<\/abbr> instead.<\/p>\n<p><!--more--><\/p>\n<figure id=\"post-293104\" class=\"align-none media-293104\"><img decoding=\"async\" src=\"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2019\/07\/zoom-url.png?ssl=1\" alt=\"\" data-recalc-dims=\"1\" \/><\/figure>\n<p>In order for that web page to open up a native app, apparently, the tactic used by many is to have it communicate with a server running on localhost on your own computer which uses a <abbr>URL<\/abbr> scheme to open the native app. Clever, but I&#8217;ve heard sentiment from folks like:<\/p>\n<ul>\n<li>I had no idea this software was running a localhost server on my machine<\/li>\n<li>It feels weird that websites out on the wild internet can communicate with my localhost server<\/li>\n<\/ul>\n<p>That&#8217;s the way it is though. But there are some protections in place. Namely: <abbr>CORS<\/abbr> (Cross-Origin Resource Sharing). Ugh. I feel like I deal with some kind of <abbr>CORS<\/abbr> problem every week of my life. But it&#8217;s important. It prevents <abbr>XHR<\/abbr> requests from websites that aren&#8217;t specifically allowed. Imagine if you visit my website, and I have your browser shoot requests over to Facebook, hoping you are logged in so I can do things on your behalf. Bad. <abbr>CORS<\/abbr> doesn&#8217;t prevent that, the same-origin policy of browsers prevents that. <abbr>CORS<\/abbr> is the mechanism to control that.<\/p>\n<p>If my website tries to communicate with your website, and your website&#8217;s response doesn&#8217;t have an <code>Access-Control-Allow-Origin<\/code> header with my domain or <code>*<\/code>, it will fail. But not <em>everything<\/em> is subject to <abbr>CORS<\/abbr> restrictions. Images, for example, are not. We can link up images from any domain and they will return data.<\/p>\n<p>Chris Foster thinks <abbr>CORS<\/abbr> and <a href=\"https:\/\/fosterelli.co\/developers-dont-understand-cors\" rel=\"noopener\">a lack of understanding<\/a> of <abbr>CORS<\/abbr> was at the heart of the Zoom bug.<\/p>\n<blockquote><p>Zoom may have needed to get this feature out and did not understand <abbr>CORS<\/abbr>. They couldn\u2019t make the AJAX requests without the browser disallowing the attempt. Instead, they built this image hack to work around <abbr>CORS<abbr>. By doing this, they opened Zoom up to a big vulnerability because n\/ot only can the Zoom website trigger operations in the native client and access the response, but every other website on the internet can too.<\/p><\/blockquote>\n<p>In the wake of all this, Nicolas Bailly wrote <a href=\"https:\/\/dev.to\/nicolus\/what-you-should-know-about-cors-48d6\" rel=\"noopener\">&#8220;What you should know about CORS&#8221;<\/a>:<\/p>\n<blockquote><p>This is often a source of confusion for newcomers because it&#8217;s not immediately apparent what <abbr>CORS<\/abbr> is supposed to achieve. Firstly CORS is not a security measure in itself, it&#8217;s actually the opposite: <abbr>CORS<\/abbr> is a way to circumvent the &#8220;Same Origin Policy&#8221; which is the security measure preventing you from making [AJAX] requests to a different domain.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s sorta sad by funny that that big Zoom vulnerability thing was ultimately related to web technology and not really the app itself. There is this idea of custom protocols or &#8220;URL schemes.&#8221; So, like gittower:\/\/ or dropbox:\/\/ or whatever. A native app can register them, then URLs that hit them get passed to the [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":293131,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"sig_custom_text":"","sig_image_type":"featured-image","sig_custom_image":0,"sig_is_disabled":false,"inline_featured_image":false,"c2c_always_allow_admin_comments":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":[]},"categories":[4],"tags":[3292,779,1334],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2019\/07\/zoom-logo-pattern.png?fit=1200%2C600&ssl=1","jetpack-related-posts":[{"id":356088,"url":"https:\/\/css-tricks.com\/why-would-a-business-push-a-native-app-over-a-website\/","url_meta":{"origin":293102,"position":0},"title":"Why would a business push a native app over a website?","date":"December 10, 2021","format":false,"excerpt":"I wanted to write down what I think the reasons are here in December of 2021 so that we might revisit it from time to time in the future and see if these reasons are still relevant. I'm a web guy myself, so I'm interested in seeing how the web\u2026","rel":"","context":"In &quot;Article&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2021\/12\/phone-to-web.jpg?fit=1200%2C600&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":350690,"url":"https:\/\/css-tricks.com\/application-specific-links\/","url_meta":{"origin":293102,"position":1},"title":"Application-Specific Links","date":"August 31, 2021","format":false,"excerpt":"You know like https:? That's a URL Scheme. You're probably familiar with the concept, thanks to others that come up in front-end development, like mailto:. You can actually make your own, which is pretty cool. There are a lot of them. I find that custom URL schemes come up the\u2026","rel":"","context":"In &quot;Article&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2021\/08\/Screen-Shot-2021-08-25-at-12.08.18-PM.png?fit=1200%2C841&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":20203,"url":"https:\/\/css-tricks.com\/w3conf-brad-hill-html5-security-realities\/","url_meta":{"origin":293102,"position":2},"title":"[W3Conf] Brad Hill: &#8220;HTML5 Security Realities&#8221;","date":"February 22, 2013","format":false,"excerpt":"Brad Hill (@hillbrad) works at PayPal work works with the W3C on security issues. These are my notes from his presentation at W3Conf in San Francisco as part of this live blog series. You can't read anything about security without huge hyperbole about HTML security. Is it correct? Brad says\u2026","rel":"","context":"In &quot;Article&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":352907,"url":"https:\/\/css-tricks.com\/those-get-the-app-banners\/","url_meta":{"origin":293102,"position":3},"title":"Those &#8220;Get The App&#8221; Banners","date":"October 11, 2021","format":false,"excerpt":"Why would a company promote a native app over their perfectly usable website?We\u2019d have to ask them, I suppose. But it\u2019s hard not to see this push to native as a matter of priorities: that these companies consider native applications worthy of their limited time, resources, and money. They\u2019re a\u2026","rel":"","context":"In &quot;Article&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2021\/09\/app-banners.png?fit=1200%2C600&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":340759,"url":"https:\/\/css-tricks.com\/what-i-learned-building-a-word-game-app-with-nuxt-on-google-play\/","url_meta":{"origin":293102,"position":4},"title":"What I Learned Building a Word Game App With Nuxt on Google Play","date":"May 25, 2021","format":false,"excerpt":"I fell in love with coding the moment I created my first CSS :hover effect. Years later, that initial bite into interactivity on the web led me to a new goal: making a game. Table of contentsWhat\u2019s the game (and what\u2019s that name)?Choosing NuxtAchieving native app feel with the webVibration\u2026","rel":"","context":"In &quot;Article&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2021\/05\/quina-app.png?fit=1200%2C600&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":338606,"url":"https:\/\/css-tricks.com\/still-hoping-for-better-native-page-transitions\/","url_meta":{"origin":293102,"position":5},"title":"Still Hoping for Better Native Page Transitions","date":"April 21, 2021","format":false,"excerpt":"It would be nice to be able to animate the transition between pages if we want to on the web without resorting to hacks or full-blown architecture choices to achieve it. I could imagine an API that would run stuff, perhaps integrating with WAAPI, before the page is unloaded, and\u2026","rel":"","context":"In &quot;Article&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2014\/08\/js-ecc9543f.gif?fit=975%2C670&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]}],"featured_media_src_url":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2019\/07\/zoom-logo-pattern.png?fit=1024%2C512&ssl=1","_links":{"self":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/293102"}],"collection":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/comments?post=293102"}],"version-history":[{"count":4,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/293102\/revisions"}],"predecessor-version":[{"id":293130,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/293102\/revisions\/293130"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/media\/293131"}],"wp:attachment":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/media?parent=293102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/categories?post=293102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/tags?post=293102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}