I recently watched “A Hipster History of CORS”, a talk from Strange Loop 2022 by Devdatta Akhawe, Head of Security at Figma. Devdatta does a great job of taking a complex, even boring, subject like CORS and weaves it into a funny, interesting narrative history. He connected many previously disparate dots in my head, making me go “Ah-ha! That’s why things are the way they are on the web.”
After Devdatta’s talk and an introduction to cross origin read blocking (CORB) I now understand better.
[attacker.com can ask for mail.google.com] as an image. The browser doesn’t know that's not an image. For the browser, everything is a URI. So the browser [fill fetch it] and say “here’s mail.google.com (and everything in the body)” and the attacker.com process can just read everything in it.
It’s a great story condensed into a thirty minute talk. Thank you Devdatta!