We can simply invoke a GET request for any page on the Internet using html tags from another source:
<script src="http://example.com/user/post?txt=sample"></script>
Another origin of is blocked due to security reasons, as an instance, an attacker can use a GET request on behalf of the user (note that this is not possible due to the lack of cookies). However, the above script tag will do the same (same thing, cookies are not available). So why is the XHR GET request not allowed?
source
share