i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts
and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?
i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts
and which header exactly woiuld need to be modiied/deleted? is it the `Access-Control-Allow-Origin` response header?
With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in about:config and chromium based browsers can be disable that by --disable-web-security.
SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part.
CORS tries to relax the hard restrictions of an SOP and contains different parts:
and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?
Exactly
how unsafe it would be to modify/delete the CORS origin header
This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or cdnjs.cloudflare.com. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle)
The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed.
Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
For documentation I describe that a little bit
With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in `about:config` and chromium based browsers can be disable that by `--disable-web-security`.
SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part.
CORS tries to relax the hard restrictions of an SOP and contains different parts:
* Access-Control-Allow-Origin
* Access-Control-Allow-Credentials
* Access-Control-Allow-Headers
* Access-Control-Allow-Methods
* Access-Control-Expose-Headers
* Access-Control-Max-Age
* Access-Control-Request-Headers
* Access-Control-Request-Method
> https://gitlab.com/nobody42/localcdn/-/issues/57
---
> and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?
Exactly
> how unsafe it would be to modify/delete the CORS origin header
This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or `cdnjs.cloudflare.com`. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle)
The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed.
Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
With modern browser this is no longer possible to modify the CORS part of a header.
maybe i'm not understanding something here, but i'm using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites
header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother
Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed
thanks for the info
> With modern browser this is no longer possible to modify the CORS part of a header.
maybe i'm not understanding something here, but i'm using [simple-modify-headers](https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/) to delete the `style-src` header inorder to allow my custom css to be injected into various sites
header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother
> Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed
thanks for the info
maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites
Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: Laboratory (Content Security Policy / CSP Toolkit)
> maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites
Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: [Laboratory (Content Security Policy / CSP Toolkit)](https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/)
i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts
and which header exactly woiuld need to be modiied/deleted? is it the
Access-Control-Allow-Origin
response header?For documentation I describe that a little bit
With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in
about:config
and chromium based browsers can be disable that by--disable-web-security
.SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part.
CORS tries to relax the hard restrictions of an SOP and contains different parts:
Exactly
This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or
cdnjs.cloudflare.com
. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle)The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed.
Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
maybe i'm not understanding something here, but i'm using simple-modify-headers to delete the
style-src
header inorder to allow my custom css to be injected into various sitesheader manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother
yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed
thanks for the info
Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: Laboratory (Content Security Policy / CSP Toolkit)
see #369 Information about SOP/CORS related issues