When Access-Control-Allow-Origin: * is set on a school API, any website can silently read its data using a logged-in user's session.
Browsers normally prevent websites from reading responses from other sites. This is called the Same-Origin Policy — a security rule built into every browser.
CORS headers are the server's way of granting exceptions: "I allow requests from this other site." When a school API sets Access-Control-Allow-Origin: *, it says "I allow requests from every site on the internet" — including attacker sites.
The attacker's page loads in the victim's browser. JavaScript on that page calls the school's API with the victim's cookies already attached. The API responds with real data — and the attacker's script reads it and sends it home.
The fix: Only allow origins that actually need access. Access-Control-Allow-Origin: https://school.edu.ph instead of *.
win-prize.com runs this script when the staff member visits:Access-Control-Allow-Origin: * allows every site to read API responses* with explicit allowed origins: https://school.edu.phallowed_origins in config/cors.phpadd_header 'Access-Control-Allow-Origin' 'https://school.edu.ph'* with credentials: include — browsers block it anyway, but misconfigured servers reflect the Origin header instead