No Branch/Tag Specified
develop
main
v2.0.17
v2.0.18
v2.0.19
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.2
v2.1.3
v2.1.4
v2.1.4.3
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.10
v2.2.12
v2.2.13
v2.2.14
v2.2.14.2
v2.2.15
v2.2.16
v2.2.16.1
v2.2.17
v2.2.17.2
v2.2.18.3
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.7.5
v2.2.8
v2.2.9
v2.3.0
v2.3.1
v2.3.1.10
v2.4.0
v2.5.0
v2.5.1
v2.5.10
v2.5.11
v2.5.12
v2.5.13
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0
v2.6.0beta2
v2.6.0beta4
v2.6.0beta5
v2.6.1
v2.6.10
v2.6.12
v2.6.13
v2.6.14
v2.6.15
v2.6.16
v2.6.17
v2.6.18
v2.6.19
v2.6.1beta1
v2.6.2
v2.6.20
v2.6.21
v2.6.22
v2.6.23
v2.6.24
v2.6.25
v2.6.26
v2.6.27
v2.6.28
v2.6.29
v2.6.3
v2.6.30
v2.6.31
v2.6.32
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
Labels
Something is not working Chromium incompatibility/bug
Incompatible or a bug in Chromium-based browsers documentation
documentation duplicate
This issue or pull request already exists enhancement
Feature request/Enhancement firefox-bug
Firefox bug framework/mapping
missing/obsolete framework or mapping help wanted
Need some help invalid
Something is wrong need info
Need info from the reporter observation question/discussion
Question about the extension sop/cors
Same-Origin-Policy or Cross-Origin-Resource-Sharing testing
testing update framework
Update framework website
Own Website (www.localcdn.org) wontfix
This won't be fixed or implemented
Apply labels
Clear labels
bug
Something is not working Chromium incompatibility/bug
Incompatible or a bug in Chromium-based browsers documentation
documentation duplicate
This issue or pull request already exists enhancement
Feature request/Enhancement firefox-bug
Firefox bug framework/mapping
missing/obsolete framework or mapping help wanted
Need some help invalid
Something is wrong need info
Need info from the reporter observation question/discussion
Question about the extension sop/cors
Same-Origin-Policy or Cross-Origin-Resource-Sharing testing
testing update framework
Update framework website
Own Website (www.localcdn.org) wontfix
This won't be fixed or implemented
No Label
bug
Chromium incompatibility/bug
documentation
duplicate
enhancement
firefox-bug
framework/mapping
help wanted
invalid
need info
observation
question/discussion
sop/cors
testing
update framework
website
wontfix
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.
No due date set.
Dependencies
No dependencies set.
Reference: nobody/LocalCDN#145
Reference in new issue
There is no content yet.
Delete Branch '%!s(<nil>)'
Deleting a branch is permanent. It CANNOT be undone. Continue?
No
Yes
i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts
and which header exactly woiuld need to be modiied/deleted? is it the
Access-Control-Allow-Origin
response header?For documentation I describe that a little bit
With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in
about:config
and chromium based browsers can be disable that by--disable-web-security
.SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part.
CORS tries to relax the hard restrictions of an SOP and contains different parts:
Exactly
This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or
cdnjs.cloudflare.com
. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle)The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed.
Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
maybe i'm not understanding something here, but i'm using simple-modify-headers to delete the
style-src
header inorder to allow my custom css to be injected into various sitesheader manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother
yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed
thanks for the info
Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: Laboratory (Content Security Policy / CSP Toolkit)
see #369 Information about SOP/CORS related issues