I feel that the distinction between internet and local is unnecessary. Isn't it equally bad if someone sends a request to your CORS-broken local webcam as it is if they send a request to your CORS-broken bank account?
Or does SOP not apply to local addresses?
I think for all cases it could make sense to enable the user to also approve CORS requests instead of just the cross origin website itself (since they are often insecure).
> Isn't it equally bad if someone sends a request to your CORS-broken local webcam as it is if they send a request to your CORS-broken bank account?
This comes from the same line of thinking as "shouldn't every device have a routable IP?". Yes, in theory, but a long history of not having one has made people more lax about local systems and securing services. And until the vast majority of local services address their security issues, we shouldn't make them accessible.
> Or does SOP not apply to local addresses?
It should, but that's not the world we have. Yes, we should fix the million local devices with CSRF/CORS/etc issues. We should also have an extra layer of protection in web browsers to prevent this. Defense in depth. (And note that many local devices do this intentionally, to give a website more permissions, as in the case of Zoom. The local web server wants to make itself accessible to the Internet; browsers should prevent that.)
I'm talking about requests from pages served from the Internet to servers on localhost or servers on an RFC1918 address.