Skip to content
This repository was archived by the owner on Nov 6, 2023. It is now read-only.

Fix some CORS issues in HTTP Nowhere mode#15606

Merged
Hainish merged 2 commits intoEFForg:masterfrom
cschanaj:fix-cors-in-http-nowhere-mode
Jun 7, 2018
Merged

Fix some CORS issues in HTTP Nowhere mode#15606
Hainish merged 2 commits intoEFForg:masterfrom
cschanaj:fix-cors-in-http-nowhere-mode

Conversation

@cschanaj
Copy link
Copy Markdown
Collaborator

@cschanaj cschanaj commented Jun 3, 2018
edited
Loading

  • Rewrite access-control-allow-origin to avoid the HTTP protocol in
    HTTP Nowhere mode

This change make CORS issues like #14275 less likely to happen in HTTP Nowhere mode

Fix some CORS issues in HTTP Nowhere mode
7934d51 
 * Rewrite access-control-allow-origin to avoid the HTTP protocol in
HTTP Nowhere mode
@cschanaj cschanaj mentioned this pull request Jun 3, 2018
Merged
@cschanaj
Copy link
Copy Markdown
Collaborator Author

cschanaj commented Jun 3, 2018
edited
Loading

ping @Hainish will there be a new release any time soon given that #15157 and #15411 are merged?

@Giltyhub
Copy link
Copy Markdown
Contributor

Giltyhub commented Jun 3, 2018

thanks again @cschanaj for all of your work on https-e!

ghost
ghost reviewed Jun 6, 2018
View reviewed changes
chromium/background-scripts/background.js

// If HTTP protocol is used, change it to HTTPS
if (value.match(/http:/)) {
details.responseHeaders[idx].value = value.replace(/http:/g, "https:");
Copy link
Copy Markdown

@ghost ghost Jun 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if one of the URLs has http: in the middle?

@cschanaj
Copy link
Copy Markdown
Collaborator Author

cschanaj commented Jun 7, 2018

According to https://www.w3.org/TR/cors/#access-control-allow-origin-response-header

In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

and according to https://tools.ietf.org/html/rfc6454#section-7.1

   The Origin header field has the following syntax:

   origin              = "Origin:" OWS origin-list-or-null OWS
   origin-list-or-null = %x6E %x75 %x6C %x6C / origin-list
   origin-list         = serialized-origin *( SP serialized-origin )
   serialized-origin   = scheme "://" host [ ":" port ]
                       ; <scheme>, <host>, <port> from RFC 3986

There is only a single Origin in the Access-Control-Allow-Origin header, consisting of scheme, host and an optional port only.

What if one of the URLs has http: in the middle?

So, I guess this cannot happen in reality.

@Hainish could you please help to confirm?

@Hainish
Copy link
Copy Markdown
Member

Hainish commented Jun 7, 2018

Thanks @cschanaj. This sounds correct to me. Merging.

@Hainish Hainish merged commit b1a024d into EFForg:master Jun 7, 2018
@cschanaj cschanaj deleted the fix-cors-in-http-nowhere-mode branch June 7, 2018 01:58
@cschanaj
Copy link
Copy Markdown
Collaborator Author

cschanaj commented Jun 7, 2018

@Hainish Thanks for merging this PR. We don't have any full release since April, is there is plan to make a release soon?

@Hainish
Copy link
Copy Markdown
Member

Hainish commented Jun 7, 2018 via email

@cschanaj cschanaj mentioned this pull request Jun 19, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cschanaj @Giltyhub @Hainish