Developers lack CORS understanding, Zoom case study
Original: Developers don't understand CORS (2019)
Why This Matters
Illustrates how security vulnerabilities stem from developer misunderstanding of fundamental web standards like CORS, affecting millions of users.
Chris Foster's 2019 analysis reveals many web developers misunderstand Cross-Origin Resource Sharing (CORS), citing Zoom's security vulnerability where the company bypassed CORS restrictions using an image-loading hack instead of proper API implementation with Access-Control-Allow-Origin headers.
In a July 2019 blog post, full-stack consultant Chris Foster highlighted widespread developer misunderstanding of CORS by examining a Zoom security vulnerability discovered by researcher Jonathan Leitschuh. Zoom's native app integration used a localhost webserver on port 19421 that encoded status information in image dimensions to bypass CORS policies, allowing any website to trigger operations in the native Zoom client. Foster noted this approach likely resulted from insufficient CORS knowledge: rather than implementing a REST API with proper Access-Control-Allow-Origin headers limiting requests to zoom.us, Zoom created a workaround that exposed privileged functions to all internet websites. Foster demonstrated the correct implementation would use CORS headers (Access-Control-Allow-Origin: https://zoom.us) combined with Content Security Policy to prevent iframe embedding. He also critiqued the UX decision to bypass browser safety mechanisms, arguing that automatically launching video conferencing without explicit user action violates predictability principles. Foster emphasized that localhost webservers handling privileged operations require proper security controls; bypassing CORS standards creates unnecessary vulnerabilities.