nobody
/
LocalCDN
16
90
Fork 8
Code Issues 4 Pull Requests 1 Releases 73 Wiki Activity
Labels Milestones
New Issue

#145 Q: CORS, SOP

Closed
opened 6 months ago by 12bytes.org · 4 comments
12bytes.org commented 6 months ago

i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts

and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?

i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts and which header exactly woiuld need to be modiied/deleted? is it the `Access-Control-Allow-Origin` response header?
nobody added the
sop/cors
label 6 months ago
nobody commented 6 months ago
Owner

For documentation I describe that a little bit

With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in about:config and chromium based browsers can be disable that by --disable-web-security.

SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part.

CORS tries to relax the hard restrictions of an SOP and contains different parts:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Allow-Headers
  • Access-Control-Allow-Methods
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Request-Headers
  • Access-Control-Request-Method

https://gitlab.com/nobody42/localcdn/-/issues/57

and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?

Exactly

how unsafe it would be to modify/delete the CORS origin header

This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or cdnjs.cloudflare.com. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle)

The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed.

Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.

For documentation I describe that a little bit With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in `about:config` and chromium based browsers can be disable that by `--disable-web-security`. SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part. CORS tries to relax the hard restrictions of an SOP and contains different parts: * Access-Control-Allow-Origin * Access-Control-Allow-Credentials * Access-Control-Allow-Headers * Access-Control-Allow-Methods * Access-Control-Expose-Headers * Access-Control-Max-Age * Access-Control-Request-Headers * Access-Control-Request-Method > https://gitlab.com/nobody42/localcdn/-/issues/57 --- > and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header? Exactly > how unsafe it would be to modify/delete the CORS origin header This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or `cdnjs.cloudflare.com`. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle) The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed. Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
nobody added the
question/discussion
label 6 months ago
12bytes.org commented 6 months ago
Poster

With modern browser this is no longer possible to modify the CORS part of a header.

maybe i'm not understanding something here, but i'm using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites

header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother

Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.

yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed

thanks for the info

> With modern browser this is no longer possible to modify the CORS part of a header. maybe i'm not understanding something here, but i'm using [simple-modify-headers](https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/) to delete the `style-src` header inorder to allow my custom css to be injected into various sites header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother > Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things. yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed thanks for the info
12bytes.org closed this issue 6 months ago
nobody commented 6 months ago
Owner

maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites

Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: Laboratory (Content Security Policy / CSP Toolkit)

> maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: [Laboratory (Content Security Policy / CSP Toolkit)](https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/)
nobody added the
observation
label 5 months ago
nobody commented 24 hours ago
Owner

see #369 Information about SOP/CORS related issues

see [#369 Information about SOP/CORS related issues](https://codeberg.org/nobody/LocalCDN/issues/369)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
develop
main
Labels
Apply labels
Clear labels
bug
Something is not working Chromium incompatibility
Not compatible with chromium based browsers documentation
documentation duplicate
This issue or pull request already exists enhancement
Feature request/Enhancement firefox-bug
Firefox bug help wanted
Need some help invalid
Something is wrong missing framework/mapping
Missing framework or mapping need info
Need info from the reporter observation question/discussion
Question about the extension sop/cors
Same-Origin-Policy or Cross-Origin-Resource-Sharing testing
testing update framework
Update framework website
Own Website (www.localcdn.org) wontfix
This won't be fixed
No Label
bug
Chromium incompatibility
documentation
duplicate
enhancement
firefox-bug
help wanted
invalid
missing framework/mapping
need info
observation
question/discussion
sop/cors
testing
update framework
website
wontfix
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(MISSING)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes