Added information about CORS security issue

This commit is contained in:
Geoffrey Frogeye 2019-12-20 17:58:53 +01:00
parent 94acd106da
commit 57e2919f25
Signed by: geoffrey
GPG key ID: D8A7ECA00A8CD3DD

3
dist/README.md vendored
View file

@ -12,7 +12,10 @@ In order to block those, one can simply block the hostname `trackercompany.com`,
However, to circumvent this block, tracker companies made the websites using them load trackers from `somestring.website1.com`. However, to circumvent this block, tracker companies made the websites using them load trackers from `somestring.website1.com`.
The latter is a DNS redirection to `website1.trackercompany.com`, directly to an IP address belonging to the tracking company. The latter is a DNS redirection to `website1.trackercompany.com`, directly to an IP address belonging to the tracking company.
Those are called first-party trackers. Those are called first-party trackers.
On top of aforementionned privacy issues, they also cause some security issue, as websites are usually configured to trust first-party scripts.
For more information, learn about [Cross-Origin Resource Sharing](https://enable-cors.org/).
In order to block those trackers, ad blockers would need to block every subdomain pointing to anything under `trackercompany.com` or to their network. In order to block those trackers, ad blockers would need to block every subdomain pointing to anything under `trackercompany.com` or to their network.
Unfortunately, most don't support those blocking methods as they are not DNS-aware, e.g. they only see `somestring.website1.com`. Unfortunately, most don't support those blocking methods as they are not DNS-aware, e.g. they only see `somestring.website1.com`.