Labels Milestones

New Issue

Q: CORS, SOP #145

Closed

opened 2 years ago by 12bytes.org · 4 comments

12bytes.org commented 2 years ago

i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts

and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?

i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts and which header exactly woiuld need to be modiied/deleted? is it the `Access-Control-Allow-Origin` response header?

nobody added the

sop/cors

label 2 years ago

nobody commented 2 years ago

Owner

For documentation I describe that a little bit

With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in about:config and chromium based browsers can be disable that by --disable-web-security.

SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part.

CORS tries to relax the hard restrictions of an SOP and contains different parts:

• Access-Control-Allow-Origin
• Access-Control-Allow-Credentials
• Access-Control-Allow-Headers
• Access-Control-Allow-Methods
• Access-Control-Expose-Headers
• Access-Control-Max-Age
• Access-Control-Request-Headers
• Access-Control-Request-Method

https://gitlab.com/nobody42/localcdn/-/issues/57

---

and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?

Exactly

how unsafe it would be to modify/delete the CORS origin header

This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or cdnjs.cloudflare.com. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle)

The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed.

Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.

For documentation I describe that a little bit With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in `about:config` and chromium based browsers can be disable that by `--disable-web-security`. SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part. CORS tries to relax the hard restrictions of an SOP and contains different parts: * Access-Control-Allow-Origin * Access-Control-Allow-Credentials * Access-Control-Allow-Headers * Access-Control-Allow-Methods * Access-Control-Expose-Headers * Access-Control-Max-Age * Access-Control-Request-Headers * Access-Control-Request-Method > https://gitlab.com/nobody42/localcdn/-/issues/57 --- > and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header? Exactly > how unsafe it would be to modify/delete the CORS origin header This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or `cdnjs.cloudflare.com`. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle) The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed. Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.

nobody added the

question/discussion

label 2 years ago

12bytes.org commented 2 years ago

Poster

With modern browser this is no longer possible to modify the CORS part of a header.

maybe i'm not understanding something here, but i'm using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites

header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother

Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.

yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed

thanks for the info

> With modern browser this is no longer possible to modify the CORS part of a header. maybe i'm not understanding something here, but i'm using [simple-modify-headers](https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/) to delete the `style-src` header inorder to allow my custom css to be injected into various sites header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother > Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things. yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed thanks for the info

12bytes.org closed this issue 2 years ago

nobody commented 2 years ago

Owner

maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites

Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: Laboratory (Content Security Policy / CSP Toolkit)

> maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: [Laboratory (Content Security Policy / CSP Toolkit)](https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/)

nobody added the

observation

label 2 years ago

nobody commented 1 year ago

Owner

see #369 Information about SOP/CORS related issues

see [#369 Information about SOP/CORS related issues](https://codeberg.org/nobody/LocalCDN/issues/369)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

develop

main

v2.0.17

v2.0.18

v2.0.19

v2.0.20

v2.0.21

v2.0.22

v2.0.23

v2.0.24

v2.1.0

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.2

v2.1.3

v2.1.4

v2.1.4.3

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.10

v2.2.12

v2.2.13

v2.2.14

v2.2.14.2

v2.2.15

v2.2.16

v2.2.16.1

v2.2.17

v2.2.17.2

v2.2.18.3

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.7.5

v2.2.8

v2.2.9

v2.3.0

v2.3.1

v2.3.1.10

v2.4.0

v2.5.0

v2.5.1

v2.5.10

v2.5.11

v2.5.12

v2.5.13

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.6.0

v2.6.0beta2

v2.6.0beta4

v2.6.0beta5

v2.6.1

v2.6.10

v2.6.12

v2.6.13

v2.6.14

v2.6.15

v2.6.16

v2.6.17

v2.6.18

v2.6.19

v2.6.1beta1

v2.6.2

v2.6.20

v2.6.21

v2.6.22

v2.6.23

v2.6.24

v2.6.25

v2.6.26

v2.6.27

v2.6.28

v2.6.29

v2.6.3

v2.6.30

v2.6.31

v2.6.32

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

Labels

Apply labels

Clear labels

bug
Something is not working Chromium incompatibility/bug
Incompatible or a bug in Chromium-based browsers documentation
documentation duplicate
This issue or pull request already exists enhancement
Feature request/Enhancement firefox-bug
Firefox bug framework/mapping
missing/obsolete framework or mapping help wanted
Need some help invalid
Something is wrong need info
Need info from the reporter observation question/discussion
Question about the extension sop/cors
Same-Origin-Policy or Cross-Origin-Resource-Sharing testing
testing update framework
Update framework website
Own Website (www.localcdn.org) wontfix
This won't be fixed or implemented

No Label bug Chromium incompatibility/bug documentation duplicate enhancement firefox-bug framework/mapping help wanted invalid need info observation question/discussion sop/cors testing update framework website wontfix

Milestone

Set milestone

Clear milestone

No items

No Milestone

Assignees

Assign users

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: nobody/LocalCDN#145

Write Preview

Loading…

Cancel

Save

There is no content yet.