Diese Angriffe nutzen aus, dass Browser Skripte Requests senden lassen, ohne einen CORS-Preflight-Check durchzuführen, wenn sie:

* keinen `Content-Type`-Header haben (z. B. mit `fetch()` und einem `Blob`-Body)
* und keine Authentifizierungsdaten senden.

Diese Art von Angriff ist vor allem relevant, wenn:

* die Anwendung lokal läuft (z. B. auf `localhost`) oder in einem internen Netzwerk

                } finally {
                    latch.countDown();
                }
            }, "ProcessCloser-output-" + sessionId).start();

            try {
                latch.await(streamCloseTimeout, TimeUnit.SECONDS);
            } catch (final InterruptedException e) {
                logger.warn("Interrupted to wait a process.", e);
            }
            try {

  ) {
    val latch = CountDownLatch(networkRequests.size)

    for (call in networkRequests) {
      call.enqueue(
        object : Callback {
          override fun onFailure(
            call: Call,
            e: IOException,
          ) {
            synchronized(failures) {
              failures.add(e)
            }
            latch.countDown()
          }

            for (int i = 0; i < events.size(); i += BATCH_SIZE) {
                final List<LogNotificationEvent> batch = events.subList(i, Math.min(i + BATCH_SIZE, events.size()));
                final BulkRequestBuilder bulkRequest = client.prepareBulk();
                for (final LogNotificationEvent event : batch) {
                    final Map<String, Object> source = new HashMap<>();
                    source.put("hostname", hostname);

These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:

* don't have a `Content-Type` header (e.g. using `fetch()` with a `Blob` body)
* and don't send any authentication credentials.

This type of attack is mainly relevant when:

* the application is running locally (e.g. on `localhost`) or in an internal network

Esses ataques exploram o fato de que navegadores permitem que scripts enviem requisições sem fazer qualquer verificação de preflight de CORS quando:

- não têm um cabeçalho `Content-Type` (por exemplo, usando `fetch()` com um corpo `Blob`)
- e não enviam nenhuma credencial de autenticação.

Esse tipo de ataque é relevante principalmente quando:

- a aplicação está em execução localmente (por exemplo, em `localhost`) ou em uma rede interna

        // ## Act ##
        req.execute(response -> {
            threadName.set(Thread.currentThread().getName());
            latch.countDown();
        }, e -> {
            latch.countDown();
        });

        // ## Assert ##
        assertTrue("Async execution should complete within 5 seconds", latch.await(5, TimeUnit.SECONDS));
        assertNotNull(threadName.get());

name: 'Auto Assign PR to Author'
on:
  pull_request:
    types: [opened]

permissions: {}

jobs:
  add-reviews:
    permissions:
      contents: read  # for kentaro-m/auto-assign-action to fetch config file
      pull-requests: write  # for kentaro-m/auto-assign-action to assign PR reviewers
    runs-on: ubuntu-latest
    steps:

Ces attaques exploitent le fait que les navigateurs permettent à des scripts d’envoyer des requêtes sans effectuer de pré-vérification CORS (preflight) lorsqu’ils :

* n’ont pas d’en-tête `Content-Type` (par ex. en utilisant `fetch()` avec un corps `Blob`)
* et n’envoient aucune information d’authentification.

Ce type d’attaque est surtout pertinent lorsque :

* l’application s’exécute localement (par ex. sur `localhost`) ou sur un réseau interne

		} else {
			globalHealConfig.Update(healCfg)
		}
	case config.BatchSubSys:
		batchCfg, err := batch.LookupConfig(s[config.BatchSubSys][config.Default])
		if err != nil {
			errs = append(errs, fmt.Errorf("Unable to apply batch config: %w", err))
		} else {
			globalBatchConfig.Update(batchCfg)
		}
	case config.ScannerSubSys: