#145 Q: CORS, SOP

Closed
opened 6 months ago by 12bytes.org · 4 comments

i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts

and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?

i'm just wondering how unsafe it would be to modify/delete the CORS origin header for LCDN purposes given that i use uMatrix and disable JS globally by default - would like to hear yur thoughts and which header exactly woiuld need to be modiied/deleted? is it the `Access-Control-Allow-Origin` response header?
nobody added the
sop/cors
label 6 months ago
nobody commented 6 months ago
Owner

For documentation I describe that a little bit

With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in about:config and chromium based browsers can be disable that by --disable-web-security.

SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part.

CORS tries to relax the hard restrictions of an SOP and contains different parts:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Allow-Headers
  • Access-Control-Allow-Methods
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Request-Headers
  • Access-Control-Request-Method

https://gitlab.com/nobody42/localcdn/-/issues/57


and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header?

Exactly

how unsafe it would be to modify/delete the CORS origin header

This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or cdnjs.cloudflare.com. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle)

The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed.

Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.

For documentation I describe that a little bit With modern browser this is no longer possible to modify the CORS part of a header. With earlier versions of Firefox Nightly (and maybe Beta) this was possible in `about:config` and chromium based browsers can be disable that by `--disable-web-security`. SOP is an important security feature. It doesn't protect against everything and everyone, but it's still an important part. CORS tries to relax the hard restrictions of an SOP and contains different parts: * Access-Control-Allow-Origin * Access-Control-Allow-Credentials * Access-Control-Allow-Headers * Access-Control-Allow-Methods * Access-Control-Expose-Headers * Access-Control-Max-Age * Access-Control-Request-Headers * Access-Control-Request-Method > https://gitlab.com/nobody42/localcdn/-/issues/57 --- > and which header exactly woiuld need to be modiied/deleted? is it the Access-Control-Allow-Origin response header? Exactly > how unsafe it would be to modify/delete the CORS origin header This should be harmless, because the frameworks are fetched from local. Normally I get them from the developers directly (GitHub, GitLab, ...) or `cdnjs.cloudflare.com`. They can't be modified from outside if the extension is installed. If a website embeds a framework by CDN, it can be replaced at any time (e.g. man-in-the-middle) The problem is, that the relaxed CORS doesn't apply to LocalCDN only. This applies to everything and that makes it risky. Of course, if JavaScript is disabled, it reduces the risk, but the JavaScript code is already in memory. It just won't be executed. Deactivated JavaScript isn't the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.
nobody added the
question/discussion
label 6 months ago
Poster

With modern browser this is no longer possible to modify the CORS part of a header.

maybe i'm not understanding something here, but i'm using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites

header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother

Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things.

yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed

thanks for the info

> With modern browser this is no longer possible to modify the CORS part of a header. maybe i'm not understanding something here, but i'm using [simple-modify-headers](https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/) to delete the `style-src` header inorder to allow my custom css to be injected into various sites header manipulation can be done on a per-host/domain basis but to do this for LCDN would be a pain, however given your explination i don't think i'll bother > Deactivated JavaScript isn’t the normal case. Many websites use it and many users have it activated. JavaScript can also do good and useful things. yes, of course - but i use a default-deny policy with uMatrix and enable only for hosts as needed thanks for the info
12bytes.org closed this issue 6 months ago
nobody commented 6 months ago
Owner

maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites

Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: Laboratory (Content Security Policy / CSP Toolkit)

> maybe i’m not understanding something here, but i’m using simple-modify-headers to delete the style-src header inorder to allow my custom css to be injected into various sites Some headers can be modified, but not all. I tried it a long time ago, but since a few months/years ago it doesn't work anymore. I used this extension in the past: [Laboratory (Content Security Policy / CSP Toolkit)](https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/)
nobody added the
observation
label 5 months ago
nobody commented 24 hours ago
Owner
see [#369 Information about SOP/CORS related issues](https://codeberg.org/nobody/LocalCDN/issues/369)
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.