> For one it had to originate from app.opencode.com
No, that was the initial mitigation! Before the vulnerability was reported, the server was accessible to the entire world with a wide-open CORS policy.
Not sure what you mean by that, but before they implemented any mitigations, it had a CORS policy that allowed requests from any origin. As far as I know, Chromium is the only browser platform that has blocked sites from connecting to localhost, so users of other browsers would be vulnerable, and so would Chrome users if they could be convinced to allow a localhost connection.
No, that was the initial mitigation! Before the vulnerability was reported, the server was accessible to the entire world with a wide-open CORS policy.
https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32...