Pale Moon forum

Hello Everyone,

I've just registered but been using PM for many years. I have a question that I've tried to find an answers to on the forum but didnt manage to.

Basically I need to bypass CORS at client side only. I'd rather not use any external proxy etc...I'm sure this can be done because the remote resource I try to access can be downloaded by manually clicking on a website link and one of the header response to a preflight request is "Access-Control-Allow-Origin *". However, the resource when accessed by javascript local code gets refused by broser default CORS policy. This might be due to different protocol (file:// vs https://) or something else. Therefore I think it's just a matter of cheating the PM browser somoehow to let through some traffic from specified remote address.

Now, I'm not too sure how to achieve that. There is a FF Add-on that modifies response headers called cors-everywhere (see https://github.com/spenibus/cors-everywhere-firefox-addon). So I thought I might create a similar PM extension. However, the cors-everywhere obviously uses a WebRequest API and it is a so called "WebExtension" that is and will never be supported by PM, as I gathered.

There is also a JS modules inside PM belly called WebRequest.jsm which seems to have similar functionality to WebRequest API but I'm not sure if it is usable in PM. Maybe there is a hidden setting within PM about:config that could do the trick?

Can someone advise me what would be the simplest way of achieving what I need? Is there a straightforward API/module in PM that can achieve that? I've read that PM supports many low level APIs but first - is there any list of supported APIs? And second - what would be a most suitable API for this task? Any suggestions would be highly appreciated.

Regards

SB

There is no "hidden setting in about:config" that allows you to break the CORS and Same-Origin policy safeguards that are present and essential for proper use of the web. So yes, you will have to create an extension that "cheats" and rewrites headers to bypass CORS restrictions by always feeding it * as allowed origin. Please be aware that using that will also open your browsing up to potential XSS attacks.

Why do you need to bypass CORS though?

Moonchild: I know there is a risk involved therefore I'd limit the openness to selected addresses only.
moonbat: I need access to a remote data inside a csv file. Current CORS policy prohibits me from doing so.

I also found a "Http.jsm" module but again not sure if it would do the job or it works in Palemoom at all... Any further thoughts? I'm sure I'm not the first one. I don't want to reinvent the wheel.

Regards

SB

I confirm that after a few trial and error attempts the WebRequest JS module works fine in PaleMoon, when developing extensions. I managed to achieve just what I needed.
After polishing it I could add it the Palemoon extensions website if anyone is interested.

Regards

SB

szczelnybez wrote: ↑

2021-01-25, 00:04

After polishing it I could add it the Palemoon extensions website if anyone is interested.

I'm sure there's at least some who would be interested for one reason or another -- feel free to add it to the add-ons site!

I will add it after I introduce some user-friendly interface.

szczelnybez wrote: ↑

2021-01-25, 19:08

I will add it after I introduce some user-friendly interface.

Hello, is your extension ready? I need such to run https://arthursonzogni.com/Diagon/ .wasm file offline, to avoid such errors as:
Access to XMLHttpRequest at 'file:///home/..../diagon.wasm' from origin 'null' has been blocked by CORS policy

iyutr wrote: ↑

2021-03-19, 04:22

I need such to run https://arthursonzogni.com/Diagon/ .wasm file offline

Kris_88,

thank you for advices, but unfortunately I could not run it, after having gathered those files and fixing the links.
The author have just made an offline build, that works perfectly in Palemoon 68, my question is resolved, (no any issue with CORS).

iyutr wrote: ↑

2021-03-21, 16:32

Palemoon 68

There is no "Pale Moon 68". Did you mean Firefox?

Sorry, it's my blunder, I meant the newest Palemoon 29.1, which identifies itself as rv:68.0, I just named the shortcut so

The old thread is locked unfortunately so I can't ask there: viewtopic.php?f=3&t=26039

Have anyone seen an addon to bypass Cross-Origin checks that is compatible with Pale Moon? All firefox addons I've met are incompatible because they are "WebExtension".

Is there any other way to disable CORS check once and for all?

I do understand that it will make me vulnerable for XSS attacks but I don't really care as I use separate browser profiles for almost every single website, plus 3rd party requests checkers such as uMatrix.

I intended to finalize my AddOn but due to time constraints it's still in a very rough and early stage without any auditing whatsoever. I could send you a version 'as is' to use at your own risk.

szczelnybez wrote: ↑

2022-01-20, 08:20

I intended to finalize my AddOn but due to time constraints it's still in a very rough and early stage without any auditing whatsoever. I could send you a version 'as is' to use at your own risk.

yes, I'd like to try, please share it.

If the issue is a strict origin policy on local files, then that was added a little while ago for security reasons. It's a known issue that this breaks "off-line" pages that want to load resources from the same directory/folder as the page (or subfolders); that is by design.
You can bypass it with the preference security.fileuri.strict_origin_policy. Be aware, however, that you should not keep this preference flipped permanently if you're using the browser for internet browsing; some malicious sites may try to abuse it (through malicious downloads). Or at the very least not execute file:// URIs to content you don't trust (you could be tricked into that though).

Not sure if this is the right place to post it. Perhaps Add-Ons section? If not, MoonChild, please remove and I would upload it somewhere else. JS file in the archive is to be edited: a row with "whitelist" is to be modified to list trusted sites. Then remove 'zip' extension and double-click to install it.
BTW I welcome any criticism on the security side of this AddOn.

Please don't dump unchecked extensions into the forum.
Also, it's Moonchild, kindly drop the capital C. It's a name, not a function identifier
If you want to publish/share your extension, upload it to the Pale Moon add-ons site. That way it can at least be somewhat vetted before people start clicking random XPIs to install (you should never do that, by the way; extensions run at the browser level and will have access to your entire system).

szczelnybez wrote: ↑

2022-01-24, 18:21

JS file in the archive is to be edited: a row with "whitelist" is to be modified to list trusted sites. Then remove 'zip' extension and double-click to install it.

I can confirm that the plugin works, thank you! not very convenient to edit the .js file though

Moonchild wrote: ↑

2022-01-23, 15:42

You can bypass it with the preference security.fileuri.strict_origin_policy.

and this did not work for me.