chmod +x mc
fi

minio server -S /tmp/no-certs --address ":9001" "http://localhost:9001/tmp/multisitea/data/disterasure/xl{1...4}" \
	"http://localhost:9002/tmp/multisitea/data/disterasure/xl{5...8}" >/tmp/sitea_1.log 2>&1 &

minio server -S /tmp/no-certs --address ":9002" "http://localhost:9001/tmp/multisitea/data/disterasure/xl{1...4}" \
	"http://localhost:9002/tmp/multisitea/data/disterasure/xl{5...8}" >/tmp/sitea_2.log 2>&1 &

from inline_snapshot import snapshot

app = FastAPI(
    servers=[
        {"url": "/", "description": "Default, relative server"},
        {
            "url": "http://staging.localhost.tiangolo.com:8000",
            "description": "Staging but actually localhost still",
        },
        {"url": "https://prod.example.com"},
    ]
)


@app.get("/foo")
def foo():
    return {"message": "Hello World"}

boto3.set_stream_logger('boto3.resources', logging.DEBUG)

authorize_url = "http://localhost:8080/auth/realms/minio/protocol/openid-connect/auth"
token_url = "http://localhost:8080/auth/realms/minio/protocol/openid-connect/token"

# callback url specified when the application was defined
callback_uri = "http://localhost:8000/oauth2/callback"

# keycloak id and secret
client_id = 'account'

        go-version: [1.24.x]
        ldap: ["", "localhost:389"]
        etcd: ["", "http://localhost:2379"]
        openid: ["", "http://127.0.0.1:5556/dex"]
        exclude:
          # exclude combos where all are empty.
          - ldap: ""
            etcd: ""
            openid: ""
          # exclude combos where both ldap and openid IDPs are specified.
          - ldap: "localhost:389"
            openid: "http://127.0.0.1:5556/dex"

    browser = playwright.chromium.launch(headless=False)
    # Update the viewport manually
    context = browser.new_context(viewport={"width": 960, "height": 1080})
    page = context.new_page()
    page.goto("http://localhost:8000/docs")
    page.get_by_role("button", name="GET /items/ Read Items").click()
    page.get_by_role("button", name="Try it out").click()
    # Manually add the screenshot

    browser = playwright.chromium.launch(headless=False)
    # Update the viewport manually
    context = browser.new_context(viewport={"width": 960, "height": 1080})
    page = context.new_page()
    page.goto("http://localhost:8000/docs")
    page.get_by_role("button", name="POST /login/ Login").click()
    page.get_by_role("button", name="Try it out").click()
    # Manually add the screenshot

	export AWS_ACCESS_KEY_ID=minio
	export AWS_SECRET_ACCESS_KEY=minio123
	aws --endpoint-url http://localhost:"$start_port" s3api create-multipart-upload --bucket bucket --key obj-1 >upload-id.json
	uploadId=$(jq -r '.UploadId' upload-id.json)

	truncate -s 5MiB file-5mib
	for i in {1..2}; do
		aws --endpoint-url http://localhost:"$start_port" s3api upload-part \
			--upload-id "$uploadId" --bucket bucket --key obj-1 \

## 來源（Origin） { #origin }

一個來源是由通訊協定（`http`、`https`）、網域（`myapp.com`、`localhost`、`localhost.tiangolo.com`）與連接埠（`80`、`443`、`8080`）三者組合而成。

因此，以下皆是不同的來源：

* `http://localhost`
* `https://localhost`
* `http://localhost:8080`

即使它們都在 `localhost`，但使用了不同的通訊協定或連接埠，所以它們是不同的「來源」。

## 步驟 { #steps }

假設你的前端在瀏覽器中執行於 `http://localhost:8080`，其 JavaScript 嘗試與執行在 `http://localhost` 的後端通訊（因為未指定連接埠，瀏覽器會假設預設連接埠為 `80`）。

    <repository>
      <id>local</id>
      <url>http://localhost</url>
    </repository>
  </repositories>
  <pluginRepositories>
    <pluginRepository>
      <id>local</id>
      <url>http://localhost</url>
    </pluginRepository>
  </pluginRepositories>

  <distributionManagement>
    <repository>
      <id>local</id>
      <url>http://localhost</url>
    </repository>
    <snapshotRepository>

- 且沒有送出任何身分驗證憑證

這種攻擊主要與以下情境相關：

- 應用在本機（例如 `localhost`）或內部網路中執行
- 並且應用沒有任何身分驗證，假設同一個網路中的任何請求都可被信任

## 攻擊範例 { #example-attack }

假設你打造了一個在本機執行 AI 代理（AI agent）的方法。

它提供一個 API：

```
http://localhost:8000/v1/agents/multivac
```

同時也有一個前端：

```
http://localhost:8000
```

/// tip | 提示

請注意兩者的主機（host）相同。

///

接著你可以透過前端讓 AI 代理代你執行動作。