New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

$empty modifier and access-control-allow-origin header #1360

Closed
theseanl opened this Issue Nov 1, 2016 · 10 comments

Comments

Projects
None yet
4 participants
@theseanl

theseanl commented Nov 1, 2016

When $empty modifier is applied, the response is sometimes blocked by the browser, because there is no access-control-allow-origin header. This should be fixed on other platforms as well.

Error example:

Access to Script at 'https://c1.popads.net/pop.js' from origin 'https://c1.popads.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://theproxy.tech' is therefore not allowed access.

@ameshkov ameshkov added this to the 6.1 R2 milestone Nov 1, 2016

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Nov 1, 2016

Member

I guess we should simply add access-control-allow-origin: * to all blocking responses.

Member

ameshkov commented Nov 1, 2016

I guess we should simply add access-control-allow-origin: * to all blocking responses.

@Bluscream

This comment has been minimized.

Show comment
Hide comment
@Bluscream

Bluscream Nov 8, 2016

@ameshkov Can Adguard help bypassing browser restrictions for easier userscript usage?

Browsers have many restrictions these days which restrict advanced user experience. When traffic is routed through adguard, can it possibly modify it? If yes at which layer?

My wettest dreams would be.

  • No errors for XMLhttp requests or plain javascript injection in the browser console (like No 'Access-Control-Allow-Origin' header is present)
  • Always "fake" a valid ssl certificate for the domain if the browser would block it otherwise.
  • adding/modifying/removing custom headers before they arrive at the browser (to increase or decrease cache times for example)
  • changing the Content-Type: @ for any url supporting regex so i can change the encoding header for ||*.txt to application/javascript
  • Bypassing HSTS (The HSTS Policy[2] is communicated by the server to the user agent via an HTTP response header field named "Strict-Transport-Security". )

You would be so dope if you could manage to get this working :*
I would buy a license for everyone in the world (When i win the lottery :D )

In my opinion a browser should behave how i want it to, not i should behave like the browser wants me to :)

Bluscream commented Nov 8, 2016

@ameshkov Can Adguard help bypassing browser restrictions for easier userscript usage?

Browsers have many restrictions these days which restrict advanced user experience. When traffic is routed through adguard, can it possibly modify it? If yes at which layer?

My wettest dreams would be.

  • No errors for XMLhttp requests or plain javascript injection in the browser console (like No 'Access-Control-Allow-Origin' header is present)
  • Always "fake" a valid ssl certificate for the domain if the browser would block it otherwise.
  • adding/modifying/removing custom headers before they arrive at the browser (to increase or decrease cache times for example)
  • changing the Content-Type: @ for any url supporting regex so i can change the encoding header for ||*.txt to application/javascript
  • Bypassing HSTS (The HSTS Policy[2] is communicated by the server to the user agent via an HTTP response header field named "Strict-Transport-Security". )

You would be so dope if you could manage to get this working :*
I would buy a license for everyone in the world (When i win the lottery :D )

In my opinion a browser should behave how i want it to, not i should behave like the browser wants me to :)

@Bluscream

This comment has been minimized.

Show comment
Hide comment
@Bluscream

Bluscream Nov 8, 2016

For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.

This means that on requests using credentials not even modifiying the header works. Good job browser devs.... to restrict usability for fake security 💢

Bluscream commented Nov 8, 2016

For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.

This means that on requests using credentials not even modifiying the header works. Good job browser devs.... to restrict usability for fake security 💢

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Nov 10, 2016

Member

Why do you need all these? I mean everything listed is bad for browser security, for what reason do you want it? For debugging purposes most of things are possible with Fiddler.

No errors for XMLhttp requests or plain javascript injection in the browser console (like No 'Access-Control-Allow-Origin' header is present)

It won't help you with XMLHttpRequest's anyway. GM_xmlhttprequest should help you though.

Member

ameshkov commented Nov 10, 2016

Why do you need all these? I mean everything listed is bad for browser security, for what reason do you want it? For debugging purposes most of things are possible with Fiddler.

No errors for XMLhttp requests or plain javascript injection in the browser console (like No 'Access-Control-Allow-Origin' header is present)

It won't help you with XMLHttpRequest's anyway. GM_xmlhttprequest should help you though.

@Bluscream

This comment has been minimized.

Show comment
Hide comment
@Bluscream

Bluscream Nov 10, 2016

Why wouldn't it help

Bluscream commented Nov 10, 2016

Why wouldn't it help

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Nov 11, 2016

Member

Why wouldn't it help

As I recall, cross-domain XMLHttpRequest's are forbidden and it does not depend on the response headers. Actually, browser won't send request, so you won't receive response anyway.

People use jsonp approach to overcome it, which is in fact just adding a script src= tag. Loaded script contains a callback function call: callback(data);

Member

ameshkov commented Nov 11, 2016

Why wouldn't it help

As I recall, cross-domain XMLHttpRequest's are forbidden and it does not depend on the response headers. Actually, browser won't send request, so you won't receive response anyway.

People use jsonp approach to overcome it, which is in fact just adding a script src= tag. Loaded script contains a callback function call: callback(data);

@theseanl

This comment has been minimized.

Show comment
Hide comment
@theseanl

theseanl Sep 29, 2017

Steps to reproduce:

  1. Add a rule ||vads-api.ad.daum.net/xylophone/adrequest/$empty,important to User filter
  2. Go to http://tv.kakao.com/channel/2844192/cliplink/377764308 with Chrome browser
  3. Inspect console output

I'm getting this error:
cors

theseanl commented Sep 29, 2017

Steps to reproduce:

  1. Add a rule ||vads-api.ad.daum.net/xylophone/adrequest/$empty,important to User filter
  2. Go to http://tv.kakao.com/channel/2844192/cliplink/377764308 with Chrome browser
  3. Inspect console output

I'm getting this error:
cors

@Bluscream

This comment has been minimized.

Show comment
Hide comment
@Bluscream

Bluscream Apr 7, 2018

Any news on this? I just got yet another headache because firefox is hitting me with this shit

Not even a fucking Continue anyway button 💢 😠

Bluscream commented Apr 7, 2018

Any news on this? I just got yet another headache because firefox is hitting me with this shit

Not even a fucking Continue anyway button 💢 😠

@ameshkov

This comment has been minimized.

Show comment
Hide comment
@ameshkov

ameshkov Apr 14, 2018

Member

@Bluscream this is smth different and looks as if smth is wrong with the AG certificate.

Are you getting it on that website only?

Member

ameshkov commented Apr 14, 2018

@Bluscream this is smth different and looks as if smth is wrong with the AG certificate.

Are you getting it on that website only?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment