Feature #71
Updated by koszko over 1 year ago
Cross-Origin Resource Sharing (CORS) is a mechanism through which browsers can decide whether a page should or should not be able to access some third-party resource. Despite being a security feature, this also limits the abilities of our injected scripts. There are at least 2 cases where we would like scripts to be able to bypass CORS:
1. When the original page gets some important data from a third-party script (included as `<script src="https://some.third.party.com/some.js"></script>`) and the script is served in a way CORS blocks its download if it is requested through AJAX instead of through `<script>` tag.
2. When we deliberately want to add some features that would not be normally possible.
Scripts running in a privileged context of a WebExtension are allowed to bypass CORS. A page script could communicate with those using messaging. We only need to implement the required API and allow special permissions for its use to be specified on package-by-package basis in the settings.
[Roadmap](/projects/hachette/wiki/Roadmap#5-Development-of-a-user-controlled-captcha-client-107)
1. When the original page gets some important data from a third-party script (included as `<script src="https://some.third.party.com/some.js"></script>`) and the script is served in a way CORS blocks its download if it is requested through AJAX instead of through `<script>` tag.
2. When we deliberately want to add some features that would not be normally possible.
Scripts running in a privileged context of a WebExtension are allowed to bypass CORS. A page script could communicate with those using messaging. We only need to implement the required API and allow special permissions for its use to be specified on package-by-package basis in the settings.
[Roadmap](/projects/hachette/wiki/Roadmap#5-Development-of-a-user-controlled-captcha-client-107)