i mean there is a break after 100s so you get the best of both worlds: if you prefer 100s videos you can close the video there, or keep watching if you want. and fireship gets to upload 10min+ videos which helps with the youtube algorithm, which is a bonus for the channel.

@@dom8429 nah, even the short ones are 2min +

2x speed or more solves your problem

I love r/collapse also

It's simple A brute force attack or found of apikeys to there sms provider nothing much

@@nameless_9504 Bruteforcing a 6 digit OTP, I doubt it is a good idea. Talking about master OTPs, intercepting requests, are better alternatives.

@@nameless_9504 I mean, I have been doing it for a while. I like Fireship so much that I want a video on this. A few days back, I was testing a website - you could literally change the phone number on which they sent you the OTP and login with a different phone.

@@DanishShakeel is it even possible? Never heard about it! Give me a example that may help me understand

@@nameless_9504 The website used an API, and they POSTed the number to it in plaintext. I changed the request, and the OTP arrived on the updated number, whereas the webapp logged me in with the actual phone number.

What kind of proxy are you talking about? A proxy running on the user's machine next to the browser? That's a lot harder to do than getting some javascript running in someone's browser.

@@Norsilca No, a server proxy, you can easlily get the response from server to server and then return it with the CORS headers.

@@edisonarango Wouldn't your proxy have to be running at the same origin as the first party website?

@@Norsilcai don't think that guy has a clue what he's talking about based on his response. either that, or he's a genius and we're both baffled.

@fireship used to publish literally 100 sec videous without going deep into the topic. These days, the first part is 100 sec bird-eye view on the topic and then comes the rest. That's why it is 100 sec of sth.

I dont understand what CORS is even usefull for. He only explained what it blocks and not WHY. I dont see the benefit - i am searching for this and the title suggests that he explains it

Lol please i am dying to know

Are you a time traveling developer from 1995?

yup

congratulations you won... idk what

Gold! 🥇

😂

because of allowed origins in the server side cors settings, only the whitelisted hosts are allowed to fetch or mutate data that is why you have to declare those hosts in the environment variables

Learn to google before you ask

@@weshuiz1325 I could learn anything using Google, you're missing the point entirely lol

@@okie9025 hey already did jwt if you looked for it

@@weshuiz1325 😂😂😂😂😂😂😂😂😂😂😂😂😂😂

Edit: This is WRONG: The basic premise is that you can receive/download assets from the external origin, but you cannot send anything to it.

@@cloudfox1908 got it. What about something like an HTTP GET request? While I’m not sending anything to my server is that still a part of the CORS model?

@@shaynepreston6055 ah I led you wrong before. When you download/GET a page, you are still making a request to a server for those resources. The reason it may be allowed is because "For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts." I'm assuming it's ok since it wasn't within a script, but this stuff is quite confusing for me too. Reference: stackoverflow.com/a/42605316/14056792

@@cloudfox1908 ah that makes more sense. Thanks!

The mime type. script/js, style/css, application/json. Json is forbidden - but it doesn't matter since he only explained what is blocked. not WHY as the title suggests

Express.js (and all other backend libraries) disables CORS by default on static files

CORS is there to protect the Client, not the Server

That's on the list

👋😻

Someone please respond to this. I have the same concern

put me in the woosh

I am really happy you like it! 😍

I can explain partially. The browser is protecting you from another origin’s attack. If you have one tab open in the browser and open the second one with malicious software - JavaScript on this website can do anything that you can do on that 1st page (as a user). So for example it may be able to view sensitive data, read messages, or analyze DOM as you type in your password etc. Same origin policy does not allow these two tabs (origins) to communicate on this level. The browser checks if the JavaScript comes from an HTML page on the same origin or if it comes from an external origin. If that is the case - access is blocked by the browser.

From the diagram, it looks like Origin A wants to request the images, CSS styles, and scripts from Origin B. In this case, Origin A is the potentially malicious one, since it's the one requesting the data.

@@Aakrarvaxa It makes a little bit of sense but it also contradicts what the image shows. You say "Same origin policy does not allow these two tabs (origins) to communicate on this level" but tabs aren't origins. The servers are the origins. And how did this become about two tabs communicating?

@@Dxpress_ I don't see anything in the diagram showing Origins requesting data. Origin A and B are the servers. They don't request anything.

@@tomihawk01 You're right actually, the diagram is drawn a bit weirdly. And yeah, I don't know what the guy was on about with the two browser tabs either. I think what they meant to imply was that the website displayed in the browser is hosted on Origin A. When the website requests data, the origin sent in the request is not the user's origin, it is still Origin A, since that's where the site is hosted.

😂😂😂

APIs configure their response headers to allow for other sites to access them

@@tjgdddfcn thank you, so that's the way to go, i thought that was just a hack or some unsecure option