how to bypass CORS?

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
User avatar
szczelnybez
Hobby Astronomer
Hobby Astronomer
Posts: 18
Joined: 2021-01-20, 00:11

how to bypass CORS?

Unread post by szczelnybez » 2021-01-21, 21:30

Hello Everyone,

I've just registered but been using PM for many years. I have a question that I've tried to find an answers to on the forum but didnt manage to.

Basically I need to bypass CORS at client side only. I'd rather not use any external proxy etc...I'm sure this can be done because the remote resource I try to access can be downloaded by manually clicking on a website link and one of the header response to a preflight request is "Access-Control-Allow-Origin *". However, the resource when accessed by javascript local code gets refused by broser default CORS policy. This might be due to different protocol (file:// vs https://) or something else. Therefore I think it's just a matter of cheating the PM browser somoehow to let through some traffic from specified remote address.

Now, I'm not too sure how to achieve that. There is a FF Add-on that modifies response headers called cors-everywhere (see https://github.com/spenibus/cors-everywhere-firefox-addon). So I thought I might create a similar PM extension. However, the cors-everywhere obviously uses a WebRequest API and it is a so called "WebExtension" that is and will never be supported by PM, as I gathered.

There is also a JS modules inside PM belly called WebRequest.jsm which seems to have similar functionality to WebRequest API but I'm not sure if it is usable in PM. Maybe there is a hidden setting within PM about:config that could do the trick?

Can someone advise me what would be the simplest way of achieving what I need? Is there a straightforward API/module in PM that can achieve that? I've read that PM supports many low level APIs but first - is there any list of supported APIs? And second - what would be a most suitable API for this task? Any suggestions would be highly appreciated.

Regards

SB

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 32014
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: how to bypass CORS?

Unread post by Moonchild » 2021-01-21, 22:57

There is no "hidden setting in about:config" that allows you to break the CORS and Same-Origin policy safeguards that are present and essential for proper use of the web. So yes, you will have to create an extension that "cheats" and rewrites headers to bypass CORS restrictions by always feeding it * as allowed origin. Please be aware that using that will also open your browsing up to potential XSS attacks.
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra
Image

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 3918
Joined: 2015-12-09, 15:45
Contact:

Re: how to bypass CORS?

Unread post by moonbat » 2021-01-22, 03:58

Why do you need to bypass CORS though?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 20.1 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
szczelnybez
Hobby Astronomer
Hobby Astronomer
Posts: 18
Joined: 2021-01-20, 00:11

Re: how to bypass CORS?

Unread post by szczelnybez » 2021-01-22, 08:26

Moonchild: I know there is a risk involved therefore I'd limit the openness to selected addresses only.
moonbat: I need access to a remote data inside a csv file. Current CORS policy prohibits me from doing so.

I also found a "Http.jsm" module but again not sure if it would do the job or it works in Palemoom at all... Any further thoughts? I'm sure I'm not the first one. I don't want to reinvent the wheel.

Regards

SB

User avatar
szczelnybez
Hobby Astronomer
Hobby Astronomer
Posts: 18
Joined: 2021-01-20, 00:11

Re: how to bypass CORS?

Unread post by szczelnybez » 2021-01-25, 00:04

I confirm that after a few trial and error attempts the WebRequest JS module works fine in PaleMoon, when developing extensions. I managed to achieve just what I needed.
After polishing it I could add it the Palemoon extensions website if anyone is interested.

Regards

SB

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 32014
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: how to bypass CORS?

Unread post by Moonchild » 2021-01-25, 00:08

szczelnybez wrote:
2021-01-25, 00:04
After polishing it I could add it the Palemoon extensions website if anyone is interested.
I'm sure there's at least some who would be interested for one reason or another -- feel free to add it to the add-ons site!
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra
Image

User avatar
szczelnybez
Hobby Astronomer
Hobby Astronomer
Posts: 18
Joined: 2021-01-20, 00:11

Re: how to bypass CORS?

Unread post by szczelnybez » 2021-01-25, 19:08

I will add it after I introduce some user-friendly interface.

User avatar
iyutr
Newbie
Newbie
Posts: 6
Joined: 2021-03-01, 22:05

Re: how to bypass CORS?

Unread post by iyutr » 2021-03-19, 04:22

szczelnybez wrote:
2021-01-25, 19:08
I will add it after I introduce some user-friendly interface.
Hello, is your extension ready? I need such to run https://arthursonzogni.com/Diagon/ .wasm file offline, to avoid such errors as:
Access to XMLHttpRequest at 'file:///home/..../diagon.wasm' from origin 'null' has been blocked by CORS policy

User avatar
Kris_88
Lunatic
Lunatic
Posts: 277
Joined: 2021-01-26, 11:18

Re: how to bypass CORS?

Unread post by Kris_88 » 2021-03-20, 12:35

iyutr wrote:
2021-03-19, 04:22
I need such to run https://arthursonzogni.com/Diagon/ .wasm file offline
Off-topic:
No need to bypass CORS to make it working...
https://arthursonzogni.com/Diagon/diagon.js
Find K="diagon.wasm" and replace diagon.wasm with base64 encoded string.
K="data:application/octet-stream;base64,AGFzbQEAA ..... BABDlUQ==";

https://arthursonzogni.com/Diagon/diagon.wasm
https://base64.guru/converter/encode/file

And you also need to save locally other resources and correct links.

!diagon.html
apple-touch-icon.png
dejavu-sans-mono.css
DejaVuSansMonoBold.ttf
DejaVuSansMonoBoldOblique.ttf
DejaVuSansMonoBook.ttf
DejaVuSansMonoOblique.ttf
diagon.js
favicon-16x16.png
favicon-32x32.png
katex.min.css
katex.min.js
manifest.json
style.css

In fact, it can be done as one large HTML file without additional resources.

User avatar
iyutr
Newbie
Newbie
Posts: 6
Joined: 2021-03-01, 22:05

Re: how to bypass CORS?

Unread post by iyutr » 2021-03-21, 16:32

Kris_88,

thank you for advices, but unfortunately I could not run it, after having gathered those files and fixing the links.
The author have just made an offline build, that works perfectly in Palemoon 68, my question is resolved, (no any issue with CORS).

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: how to bypass CORS?

Unread post by coffeebreak » 2021-03-21, 18:29

iyutr wrote:
2021-03-21, 16:32
Palemoon 68
There is no "Pale Moon 68". Did you mean Firefox?

User avatar
iyutr
Newbie
Newbie
Posts: 6
Joined: 2021-03-01, 22:05

Re: how to bypass CORS?

Unread post by iyutr » 2021-03-21, 22:50

Sorry, it's my blunder, I meant the newest Palemoon 29.1, which identifies itself as rv:68.0, I just named the shortcut so :)

User avatar
googlefan
Newbie
Newbie
Posts: 5
Joined: 2021-02-03, 09:02

How to bypass CORS?

Unread post by googlefan » 2022-01-19, 11:57

The old thread is locked unfortunately so I can't ask there: viewtopic.php?f=3&t=26039

Have anyone seen an addon to bypass Cross-Origin checks that is compatible with Pale Moon? All firefox addons I've met are incompatible because they are "WebExtension".

Is there any other way to disable CORS check once and for all?

I do understand that it will make me vulnerable for XSS attacks but I don't really care as I use separate browser profiles for almost every single website, plus 3rd party requests checkers such as uMatrix.

User avatar
szczelnybez
Hobby Astronomer
Hobby Astronomer
Posts: 18
Joined: 2021-01-20, 00:11

Re: How to bypass CORS?

Unread post by szczelnybez » 2022-01-20, 08:20

I intended to finalize my AddOn but due to time constraints it's still in a very rough and early stage without any auditing whatsoever. I could send you a version 'as is' to use at your own risk.

User avatar
googlefan
Newbie
Newbie
Posts: 5
Joined: 2021-02-03, 09:02

Re: how to bypass CORS?

Unread post by googlefan » 2022-01-23, 14:46

szczelnybez wrote:
2022-01-20, 08:20
I intended to finalize my AddOn but due to time constraints it's still in a very rough and early stage without any auditing whatsoever. I could send you a version 'as is' to use at your own risk.
yes, I'd like to try, please share it.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 32014
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: how to bypass CORS?

Unread post by Moonchild » 2022-01-23, 15:42

If the issue is a strict origin policy on local files, then that was added a little while ago for security reasons. It's a known issue that this breaks "off-line" pages that want to load resources from the same directory/folder as the page (or subfolders); that is by design.
You can bypass it with the preference security.fileuri.strict_origin_policy. Be aware, however, that you should not keep this preference flipped permanently if you're using the browser for internet browsing; some malicious sites may try to abuse it (through malicious downloads). Or at the very least not execute file:// URIs to content you don't trust (you could be tricked into that though).
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra
Image

User avatar
szczelnybez
Hobby Astronomer
Hobby Astronomer
Posts: 18
Joined: 2021-01-20, 00:11

Re: how to bypass CORS?

Unread post by szczelnybez » 2022-01-24, 18:21

Not sure if this is the right place to post it. Perhaps Add-Ons section? If not, MoonChild, please remove and I would upload it somewhere else. JS file in the archive is to be edited: a row with "whitelist" is to be modified to list trusted sites. Then remove 'zip' extension and double-click to install it.
BTW I welcome any criticism on the security side of this AddOn.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 32014
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: how to bypass CORS?

Unread post by Moonchild » 2022-01-24, 22:20

Please don't dump unchecked extensions into the forum.
Also, it's Moonchild, kindly drop the capital C. It's a name, not a function identifier ;-)
If you want to publish/share your extension, upload it to the Pale Moon add-ons site. That way it can at least be somewhat vetted before people start clicking random XPIs to install (you should never do that, by the way; extensions run at the browser level and will have access to your entire system).
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra
Image

User avatar
googlefan
Newbie
Newbie
Posts: 5
Joined: 2021-02-03, 09:02

Re: how to bypass CORS?

Unread post by googlefan » 2022-01-26, 09:23

szczelnybez wrote:
2022-01-24, 18:21
JS file in the archive is to be edited: a row with "whitelist" is to be modified to list trusted sites. Then remove 'zip' extension and double-click to install it.
I can confirm that the plugin works, thank you! not very convenient to edit the .js file though
Moonchild wrote:
2022-01-23, 15:42
You can bypass it with the preference security.fileuri.strict_origin_policy.
and this did not work for me.

Post Reply