Hey guys,
watching this video -
https://www.youtube.com/watch?v=KaEj_qZgiKY @ about timestamp 2:03, he mentions "since we are able to make a GET request with the image/image tag, then we should be able to make a GET request with XMLHTTPRequest to get the JSON data from reddit.
To put that into context, he is saying that we can make a GET request by embedding an image from imgur(dot)com in the HTML of reddit by simply adding image tags(with the image source). He further says, with that in mind, we should be able to make a GET request from in the console of imgur to get the JSON response from reddit. It makes sense that we can grab an image this way but....
It does NOT make sense that we can a make a GET request to get the JSON data(which resides on reddit) from imgur. This CLEARLY violates the same origin policy...... but somehow, it works.. or at least in the video it seems to work because when I try it I get a CORS error.
From my understanding, the same origin policy prevents the browser from receiving the response of GET requests to destinations that are not of the same origin(i.e same protocol, domain name and port number). This prevents security issues such as stealing valuable data or doing unauthorized actions such as deleting the users account if the user has an active session with the website in the malicious GET request.
Now, we can get around SOP with images and forms, such as making a POST request with form actions, although there are also security procedures to mitigate this too and is why placing an image from imgur in reddits HTML makes sense.
With my definition this doesn't make sense as to why liveoverflow can make a GET request from