Cross-Origin scripts can access data without restrictions

Well, you get what you ask for.

accept-patch: application/json, application/sparql-update
accept-post: text/turtle, application/json
access-control-allow-credentials: true
access-control-allow-origin: https://retog.github.io
access-control-expose-headers: User, Location, Link, Vary, Last-Modified, WWW-Authenticate, Content-Length, Content-Type, Accept-Patch, Accept-Post, Allow, Updates-Via, Ms-Author-Via
access-control-max-age: 1728000
allow: OPTIONS, HEAD, GET, PATCH, POST, PUT, MKCOL, DELETE, COPY, MOVE, LOCK, UNLOCK
content-length: 0
content-type: text/plain; charset=utf-8
date: Fri, 15 Jun 2018 13:39:25 GMT
link: <https://beta.databox.me/evil-5099ea,meta>; rel="meta", <https://beta.databox.me/evil-5099ea,acl>; rel="acl", <http://www.w3.org/ns/ldp#Resource>; rel="type"
location: https://beta.databox.me/evil-5099ea
ms-author-via: DAV, SPARQL
status: 201
updates-via: wss://beta.databox.me/
user: https://beta.databox.me/profile/card#me
vary: Origin

These headers from the server say that the client origin is explicitly trusted. We can't get upset about cross-origin access when the browser goes to huge lengths to block it, and we have gone to even huger lengths to open it up again.

Protection against this attack is built into the browser. We disable it by explicitly telling the browser that for any origin which access it, that origin is trusted. You get what you ask for.

Browser security is based on the Same Origin Model... if we want to tweak that we do it carefully but maybe not reinvent it. we have origin reflector code in the server specifically to give all origins ability to access data. We turned that on, to fix this we turn it off (work break warp etc) or make it speific to origins we trust.

linkeddata / gold

Cross-Origin scripts can access data without restrictions #89