Are timing-based side-channel attacks against the server during CORS preflight a legitimate concern?
Section 3.2.3 of the Fetch standard provides some guidance about how servers can/should handle preflight requests.
A successful HTTP response, i.e., one where the server developer intends to share it, to a CORS request can use any status,… Continue reading Are timing-based side-channel attacks against the server during CORS preflight a legitimate concern?