Cross-origin resource sharing is a mechanism to safely bypass the same-origin policy; that is, it allows a web page to access restricted resources from a server on a domain different than the domain that served the web page. From Wikipedia
Researchers say Comet’s assistant misreads page content as commands, exposing data from authenticated sessions.
