Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
This repository was archived by the owner on Nov 6, 2023. It is now read-only.

Fix some CORS issues in HTTP Nowhere mode#15606

Merged
Hainish merged 2 commits into
EFForg:masterEFForg/https-everywhere:masterfrom
cschanaj:fix-cors-in-http-nowhere-modeCopy head branch name to clipboard
Jun 7, 2018
Merged

Fix some CORS issues in HTTP Nowhere mode#15606
Hainish merged 2 commits into
EFForg:masterEFForg/https-everywhere:masterfrom
cschanaj:fix-cors-in-http-nowhere-modeCopy head branch name to clipboard

Conversation

@cschanaj

@cschanaj cschanaj commented Jun 3, 2018

Copy link
Copy Markdown
Collaborator
  • Rewrite access-control-allow-origin to avoid the HTTP protocol in
    HTTP Nowhere mode

This change make CORS issues like #14275 less likely to happen in HTTP Nowhere mode

 * Rewrite access-control-allow-origin to avoid the HTTP protocol in
HTTP Nowhere mode
@cschanaj

cschanaj commented Jun 3, 2018

Copy link
Copy Markdown
Collaborator Author

ping @Hainish will there be a new release any time soon given that #15157 and #15411 are merged?

@Giltyhub

Giltyhub commented Jun 3, 2018

Copy link
Copy Markdown
Contributor

thanks again @cschanaj for all of your work on https-e!


// If HTTP protocol is used, change it to HTTPS
if (value.match(/http:/)) {
details.responseHeaders[idx].value = value.replace(/http:/g, "https:");

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if one of the URLs has http: in the middle?

@cschanaj

cschanaj commented Jun 7, 2018

Copy link
Copy Markdown
Collaborator Author

According to https://www.w3.org/TR/cors/#access-control-allow-origin-response-header

In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

and according to https://tools.ietf.org/html/rfc6454#section-7.1

   The Origin header field has the following syntax:

   origin              = "Origin:" OWS origin-list-or-null OWS
   origin-list-or-null = %x6E %x75 %x6C %x6C / origin-list
   origin-list         = serialized-origin *( SP serialized-origin )
   serialized-origin   = scheme "://" host [ ":" port ]
                       ; <scheme>, <host>, <port> from RFC 3986

There is only a single Origin in the Access-Control-Allow-Origin header, consisting of scheme, host and an optional port only.

What if one of the URLs has http: in the middle?

So, I guess this cannot happen in reality.

@Hainish could you please help to confirm?

@Hainish

Hainish commented Jun 7, 2018

Copy link
Copy Markdown
Member

Thanks @cschanaj. This sounds correct to me. Merging.

@Hainish Hainish merged commit b1a024d into EFForg:master Jun 7, 2018
@cschanaj cschanaj deleted the fix-cors-in-http-nowhere-mode branch June 7, 2018 01:58
@cschanaj

cschanaj commented Jun 7, 2018

Copy link
Copy Markdown
Collaborator Author

@Hainish Thanks for merging this PR. We don't have any full release since April, is there is plan to make a release soon?

@Hainish

Hainish commented Jun 7, 2018 via email

Copy link
Copy Markdown
Member

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Morty Proxy This is a proxified and sanitized view of the page, visit original site.