Feature #71
[Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
100%
Description
Cross-Origin Resource Sharing (CORS) is a mechanism through which browsers can decide whether a page should or should not be able to access some third-party resource. Despite being a security feature, this also limits the abilities of our injected scripts. There are at least 2 cases where we would like scripts to be able to bypass CORS:
- When the original page gets some important data from a third-party script (included as
<script src="https://some.third.party.com/some.js"></script>) and the script is served in a way CORS blocks its download if it is requested through AJAX instead of through<script>tag. - When we deliberately want to add some features that would not be normally possible.
Scripts running in a privileged context of a WebExtension are allowed to bypass CORS. A page script could communicate with those using messaging. We only need to implement the required API and allow special permissions for its use to be specified on package-by-package basis in the settings.
Related issues
History
Updated by jahoti about 2 years ago
- Parent task set to #72
While they're not the only use (as outlined in the description), meta-sites will almost certainly be the main application.
Updated by koszko about 2 years ago
BTW, we could also facilitate spoofing of the referer header for similar purposes
EDIT: GreaseMonkey actually has something[1] like what I call for in this issue.
Updated by jahoti about 2 years ago
BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoof referer? It's definitely needed, I fully agree, just (at least for webpages) not possible.
EDIT: GreaseMonkey actually has something[1] like what I call for in this issue.
[1] https://wiki.greasespot.net/GM_xmlhttpRequest
That looks like a good model- an API object is a good idea in any case, and a more JQuery-like AJAX function would be hugely beneficial no matter what.
As an extra point, do we want to provide a way to limit the domains a script (or package or however the setting may work) can bypass CORS on? Is that even feasible?
Updated by koszko about 2 years ago
BTW, we could also facilitate spoofing of the referer header for similar purposes
Are extensions allowed to spoof
referer? It's definitely needed, I fully agree, just (at least for webpages) not possible.
Does WebRequest not allow rewriting of this header?
Also, perhaps we'd be able to spoof a Referer: https://example.com/ header by opening https://example.com/ in some hidden page or iframe?
As an extra point, do we want to provide a way to limit the domains a script (or package or however the setting may work) can bypass CORS on? Is that even feasible?
Sure! Once we implement a permissions system, this is probably going to be the main use of it
Updated by jahoti about 2 years ago
Does WebRequest not allow rewriting of [the referer] header?
WebRequest probably does actually; thanks for pointing that out!
Also, perhaps we'd be able to spoof a Referer: https://example.com/ header by opening https://example.com/ in some hidden page or iframe?
That would definitely work- nevertheless, hopefully it isn't needed and using WebRequest is enough.
Updated by koszko about 2 years ago
Also, perhaps we'd be able to spoof a
Referer: https://example.com/header by openinghttps://example.com/in some hidden page or iframe?That would definitely work- nevertheless, hopefully it isn't needed and using WebRequest is enough.
We might use it as a workaround for manifest V3 Chromium port
Updated by koszko almost 2 years ago
In case of important data only being available in external scripts (btw, I think this is the case with reCAPTCHA which, although nasty, is very important for us to support) instead of providing a general facility to bypass CORS (I am thinking of implementing some API similar to XMLHttpRequest), we could add a facility to fetch just the external scripts referenced by the original page. Better yet, we could actually add a general facility to bypass CORS and then make it possible to define payload's permissions in a way it is only allowed to bypass CORS for these particular scripts
Updated by jahoti almost 2 years ago
In case of important data only being available in external scripts (btw, I think this is the case with reCAPTCHA which, although nasty, is very important for us to support) instead of providing a general facility to bypass CORS (I am thinking of implementing some API similar to XMLHttpRequest), we could add a facility to fetch just the external scripts referenced by the original page. Better yet, we could actually add a general facility to bypass CORS and then make it possible to define payload's permissions in a way it is only allowed to bypass CORS for these particular scripts
That sounds like a good system- we could even use URL patterns to specify allowed connections, albeit with some way to specify multiple per script.
For reCAPTCHA I think the data that get extracted (maps from challenge code to displayed text) is constant at least within each reCAPTCHA version, which means it's possible (at least in theory) to hardcode them in the script and simply release a new version whenever Google does. Nevertheless, that obviously would not be ideal.
Updated by koszko almost 2 years ago
For reCAPTCHA I think the data that get extracted (maps from challenge code to displayed text) is constant at least within each reCAPTCHA version,
That'd explain why instead of something like "select all squares with stairs" I was presented with some JSON... Good that I guessed what to do
Updated by koszko over 1 year ago
- Subject changed from Make it possible for injected scripts to bypass CORS to [Roadmap 5][Milestone] Make it possible for injected scripts to bypass CORS
- Description updated (diff)
- Parent task deleted (
#72)
Updated by koszko over 1 year ago
- Blocks Feature #107: [Roadmap 5] A user-controlled reCAPTCHA client library added
Updated by koszko over 1 year ago
- Blocks Feature #72: [Roadmap 18][Milestone] Facilitate creation of "meta-sites" added
Updated by koszko about 1 year ago
- Status changed from New to Closed
- % Done changed from 0 to 100