Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ineffective Access-Control-Allow-Origin header #4275

Merged
merged 1 commit into from Sep 11, 2021
Merged

Remove ineffective Access-Control-Allow-Origin header #4275

merged 1 commit into from Sep 11, 2021

Conversation

MichaIng
Copy link
Contributor

@MichaIng MichaIng commented Aug 13, 2021
edited

By submitting this pull request, I confirm the following:
please fill any appropriate checkboxes, e.g: [X]

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes, and have included unit tests where possible.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)

Please make sure you Sign Off all commits. Pi-hole enforces the DCO.

What does this PR aim to accomplish?:
The Access-Control-Allow-Origin header has only relevance, when a resource is loaded from an external host, so one that does not match the host of the primary loaded website. As the fonts are reasonably loaded via local URLs without hostname or scheme from the blocking page style sheet, they are never seen as external resources, regardless whether the blocking page is shown to the browser from a blocked domain or from the Pi-hole domain/IP. To minimise transferred data and to not explicitly allow external hosts to load resources from each Pi-hole instance, the header should hence be removed.

Addresses #3462

How does this PR accomplish the above?:
The Access-Control-Allow-Origin header is removed from the Lighttpd configurations.

What documentation changes (if any) are needed to support this PR?:
None

@MichaIng
Remove ineffective Access-Control-Allow-Origin header
3ef90a9 
The Access-Control-Allow-Origin header has only relevance, when a resource is loaded from an external host, so one that does not match the host of the primary loaded website. As the fonts are reasonably loaded via local URLs without hostname or scheme from the blocking page style sheet, they are never seen as external resources, regardless whether the blocking page is shown to the browser from a blocked domain or from the Pi-hole domain/IP.

For reference: #3462

Signed-off-by: MichaIng <micha@dietpi.com>
@MichaIng MichaIng mentioned this pull request Aug 13, 2021
Closed
@DL6ER DL6ER merged commit 482ac12 into pi-hole:development Sep 11, 2021
@MichaIng MichaIng deleted the patch-4 branch September 11, 2021 19:48
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-ftl-v5-9-web-v5-6-and-core-v5-4-released/49544/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DL6ER DL6ER DL6ER approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MichaIng @pralor-bot @DL6ER