how to bypass CORS?
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
- szczelnybez
- Apollo supporter
- Posts: 34
- Joined: 2021-01-20, 00:11
how to bypass CORS?
Hello Everyone,
I've just registered but been using PM for many years. I have a question that I've tried to find an answers to on the forum but didnt manage to.
Basically I need to bypass CORS at client side only. I'd rather not use any external proxy etc...I'm sure this can be done because the remote resource I try to access can be downloaded by manually clicking on a website link and one of the header response to a preflight request is "Access-Control-Allow-Origin *". However, the resource when accessed by javascript local code gets refused by broser default CORS policy. This might be due to different protocol (file:// vs https://) or something else. Therefore I think it's just a matter of cheating the PM browser somoehow to let through some traffic from specified remote address.
Now, I'm not too sure how to achieve that. There is a FF Add-on that modifies response headers called cors-everywhere (see https://github.com/spenibus/cors-everywhere-firefox-addon). So I thought I might create a similar PM extension. However, the cors-everywhere obviously uses a WebRequest API and it is a so called "WebExtension" that is and will never be supported by PM, as I gathered.
There is also a JS modules inside PM belly called WebRequest.jsm which seems to have similar functionality to WebRequest API but I'm not sure if it is usable in PM. Maybe there is a hidden setting within PM about:config that could do the trick?
Can someone advise me what would be the simplest way of achieving what I need? Is there a straightforward API/module in PM that can achieve that? I've read that PM supports many low level APIs but first - is there any list of supported APIs? And second - what would be a most suitable API for this task? Any suggestions would be highly appreciated.
Regards
SB
I've just registered but been using PM for many years. I have a question that I've tried to find an answers to on the forum but didnt manage to.
Basically I need to bypass CORS at client side only. I'd rather not use any external proxy etc...I'm sure this can be done because the remote resource I try to access can be downloaded by manually clicking on a website link and one of the header response to a preflight request is "Access-Control-Allow-Origin *". However, the resource when accessed by javascript local code gets refused by broser default CORS policy. This might be due to different protocol (file:// vs https://) or something else. Therefore I think it's just a matter of cheating the PM browser somoehow to let through some traffic from specified remote address.
Now, I'm not too sure how to achieve that. There is a FF Add-on that modifies response headers called cors-everywhere (see https://github.com/spenibus/cors-everywhere-firefox-addon). So I thought I might create a similar PM extension. However, the cors-everywhere obviously uses a WebRequest API and it is a so called "WebExtension" that is and will never be supported by PM, as I gathered.
There is also a JS modules inside PM belly called WebRequest.jsm which seems to have similar functionality to WebRequest API but I'm not sure if it is usable in PM. Maybe there is a hidden setting within PM about:config that could do the trick?
Can someone advise me what would be the simplest way of achieving what I need? Is there a straightforward API/module in PM that can achieve that? I've read that PM supports many low level APIs but first - is there any list of supported APIs? And second - what would be a most suitable API for this task? Any suggestions would be highly appreciated.
Regards
SB
Re: how to bypass CORS?
There is no "hidden setting in about:config" that allows you to break the CORS and Same-Origin policy safeguards that are present and essential for proper use of the web. So yes, you will have to create an extension that "cheats" and rewrites headers to bypass CORS restrictions by always feeding it * as allowed origin. Please be aware that using that will also open your browsing up to potential XSS attacks.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: how to bypass CORS?
Why do you need to bypass CORS though?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
- szczelnybez
- Apollo supporter
- Posts: 34
- Joined: 2021-01-20, 00:11
Re: how to bypass CORS?
Moonchild: I know there is a risk involved therefore I'd limit the openness to selected addresses only.
moonbat: I need access to a remote data inside a csv file. Current CORS policy prohibits me from doing so.
I also found a "Http.jsm" module but again not sure if it would do the job or it works in Palemoom at all... Any further thoughts? I'm sure I'm not the first one. I don't want to reinvent the wheel.
Regards
SB
moonbat: I need access to a remote data inside a csv file. Current CORS policy prohibits me from doing so.
I also found a "Http.jsm" module but again not sure if it would do the job or it works in Palemoom at all... Any further thoughts? I'm sure I'm not the first one. I don't want to reinvent the wheel.
Regards
SB
- szczelnybez
- Apollo supporter
- Posts: 34
- Joined: 2021-01-20, 00:11
Re: how to bypass CORS?
I confirm that after a few trial and error attempts the WebRequest JS module works fine in PaleMoon, when developing extensions. I managed to achieve just what I needed.
After polishing it I could add it the Palemoon extensions website if anyone is interested.
Regards
SB
After polishing it I could add it the Palemoon extensions website if anyone is interested.
Regards
SB
Re: how to bypass CORS?
I'm sure there's at least some who would be interested for one reason or another -- feel free to add it to the add-ons site!szczelnybez wrote: ↑2021-01-25, 00:04After polishing it I could add it the Palemoon extensions website if anyone is interested.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- szczelnybez
- Apollo supporter
- Posts: 34
- Joined: 2021-01-20, 00:11
Re: how to bypass CORS?
I will add it after I introduce some user-friendly interface.
Re: how to bypass CORS?
Hello, is your extension ready? I need such to run https://arthursonzogni.com/Diagon/ .wasm file offline, to avoid such errors as:
Access to XMLHttpRequest at 'file:///home/..../diagon.wasm' from origin 'null' has been blocked by CORS policy
Re: how to bypass CORS?
iyutr wrote: ↑2021-03-19, 04:22I need such to run https://arthursonzogni.com/Diagon/ .wasm file offline
Off-topic:
No need to bypass CORS to make it working...
https://arthursonzogni.com/Diagon/diagon.js
Find K="diagon.wasm" and replace diagon.wasm with base64 encoded string.
K="data:application/octet-stream;base64,AGFzbQEAA ..... BABDlUQ==";
https://arthursonzogni.com/Diagon/diagon.wasm
https://base64.guru/converter/encode/file
And you also need to save locally other resources and correct links.
!diagon.html
apple-touch-icon.png
dejavu-sans-mono.css
DejaVuSansMonoBold.ttf
DejaVuSansMonoBoldOblique.ttf
DejaVuSansMonoBook.ttf
DejaVuSansMonoOblique.ttf
diagon.js
favicon-16x16.png
favicon-32x32.png
katex.min.css
katex.min.js
manifest.json
style.css
In fact, it can be done as one large HTML file without additional resources.
No need to bypass CORS to make it working...
https://arthursonzogni.com/Diagon/diagon.js
Find K="diagon.wasm" and replace diagon.wasm with base64 encoded string.
K="data:application/octet-stream;base64,AGFzbQEAA ..... BABDlUQ==";
https://arthursonzogni.com/Diagon/diagon.wasm
https://base64.guru/converter/encode/file
And you also need to save locally other resources and correct links.
!diagon.html
apple-touch-icon.png
dejavu-sans-mono.css
DejaVuSansMonoBold.ttf
DejaVuSansMonoBoldOblique.ttf
DejaVuSansMonoBook.ttf
DejaVuSansMonoOblique.ttf
diagon.js
favicon-16x16.png
favicon-32x32.png
katex.min.css
katex.min.js
manifest.json
style.css
In fact, it can be done as one large HTML file without additional resources.
Re: how to bypass CORS?
Kris_88,
thank you for advices, but unfortunately I could not run it, after having gathered those files and fixing the links.
The author have just made an offline build, that works perfectly in Palemoon 68, my question is resolved, (no any issue with CORS).
thank you for advices, but unfortunately I could not run it, after having gathered those files and fixing the links.
The author have just made an offline build, that works perfectly in Palemoon 68, my question is resolved, (no any issue with CORS).
-
- Moon Magic practitioner
- Posts: 2986
- Joined: 2015-09-26, 04:51
- Location: U.S.
Re: how to bypass CORS?
Sorry, it's my blunder, I meant the newest Palemoon 29.1, which identifies itself as rv:68.0, I just named the shortcut so
How to bypass CORS?
The old thread is locked unfortunately so I can't ask there: viewtopic.php?f=3&t=26039
Have anyone seen an addon to bypass Cross-Origin checks that is compatible with Pale Moon? All firefox addons I've met are incompatible because they are "WebExtension".
Is there any other way to disable CORS check once and for all?
I do understand that it will make me vulnerable for XSS attacks but I don't really care as I use separate browser profiles for almost every single website, plus 3rd party requests checkers such as uMatrix.
Have anyone seen an addon to bypass Cross-Origin checks that is compatible with Pale Moon? All firefox addons I've met are incompatible because they are "WebExtension".
Is there any other way to disable CORS check once and for all?
I do understand that it will make me vulnerable for XSS attacks but I don't really care as I use separate browser profiles for almost every single website, plus 3rd party requests checkers such as uMatrix.
- szczelnybez
- Apollo supporter
- Posts: 34
- Joined: 2021-01-20, 00:11
Re: How to bypass CORS?
I intended to finalize my AddOn but due to time constraints it's still in a very rough and early stage without any auditing whatsoever. I could send you a version 'as is' to use at your own risk.
Re: how to bypass CORS?
yes, I'd like to try, please share it.szczelnybez wrote: ↑2022-01-20, 08:20I intended to finalize my AddOn but due to time constraints it's still in a very rough and early stage without any auditing whatsoever. I could send you a version 'as is' to use at your own risk.
Re: how to bypass CORS?
If the issue is a strict origin policy on local files, then that was added a little while ago for security reasons. It's a known issue that this breaks "off-line" pages that want to load resources from the same directory/folder as the page (or subfolders); that is by design.
You can bypass it with the preference security.fileuri.strict_origin_policy. Be aware, however, that you should not keep this preference flipped permanently if you're using the browser for internet browsing; some malicious sites may try to abuse it (through malicious downloads). Or at the very least not execute file:// URIs to content you don't trust (you could be tricked into that though).
You can bypass it with the preference security.fileuri.strict_origin_policy. Be aware, however, that you should not keep this preference flipped permanently if you're using the browser for internet browsing; some malicious sites may try to abuse it (through malicious downloads). Or at the very least not execute file:// URIs to content you don't trust (you could be tricked into that though).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
- szczelnybez
- Apollo supporter
- Posts: 34
- Joined: 2021-01-20, 00:11
Re: how to bypass CORS?
Not sure if this is the right place to post it. Perhaps Add-Ons section? If not, MoonChild, please remove and I would upload it somewhere else. JS file in the archive is to be edited: a row with "whitelist" is to be modified to list trusted sites. Then remove 'zip' extension and double-click to install it.
BTW I welcome any criticism on the security side of this AddOn.
BTW I welcome any criticism on the security side of this AddOn.
Re: how to bypass CORS?
Please don't dump unchecked extensions into the forum.
Also, it's Moonchild, kindly drop the capital C. It's a name, not a function identifier
If you want to publish/share your extension, upload it to the Pale Moon add-ons site. That way it can at least be somewhat vetted before people start clicking random XPIs to install (you should never do that, by the way; extensions run at the browser level and will have access to your entire system).
Also, it's Moonchild, kindly drop the capital C. It's a name, not a function identifier
If you want to publish/share your extension, upload it to the Pale Moon add-ons site. That way it can at least be somewhat vetted before people start clicking random XPIs to install (you should never do that, by the way; extensions run at the browser level and will have access to your entire system).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: how to bypass CORS?
I can confirm that the plugin works, thank you! not very convenient to edit the .js file thoughszczelnybez wrote: ↑2022-01-24, 18:21JS file in the archive is to be edited: a row with "whitelist" is to be modified to list trusted sites. Then remove 'zip' extension and double-click to install it.
and this did not work for me.