Custom CORS Control - Advanced user control for CORS
This extension aims to provide a user with complete control over the CORS mechanisms.
Misconfiguring the rules WILL break the protections offered by the Same-Origin Policy.
Only requests with an Origin header and a matching rule are modified at all by this extension.
AMO: https://addons.mozilla.org/en-US/firefox/addon/custom-cors-control/
Warning Read first: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS, and https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_settings_attributes.
{
"Type1": {
"Origin1": {
"Target1": {
"Path1": {
"ACRH": [""],
"ACAO": "allow",
"ACEH": [""],
"ACAC": false,
"ACAM": ["GET", "POST"],
"ACAH": [""]
}
}
}
}
}
-
Request Type
One of the request types as documented at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/ResourceType.
*matches everything, but only if no exact matches. -
Origin
Evaluated one-by-one against the origin in
details.originUrlwithString#endsWith, but*matches everything. -
Target origin
Evaluated one-by-one against the origin in
details.targetUrlwithString#endsWith, but*matches everything. -
Path
Evaluated one-by-one against the path in
details.targetUrlwithString#startsWith, but*matches everything.
-
ACRHArray of values allowed to be present in the
Access-Control-Request-Headersheader in preflight request.Headers not present in this array will be omitted from subsequent requests.
-
ACAO"allow": SetAccess-Control-Allow-Origin: <origin>in responses."star": SetAccess-Contorl-Allow-Origin: *in responses."block": Cancel all requests. -
ACEHAn array of values allowed to be present in the
Access-Control-Expose-Headersheader in responses. -
ACACSet
Access-Control-Allow-Credentialsheader in responses to the specified boolean value.Omit
AuthorizationandCookieheaders from actual requests. -
ACAMArray of allowed request methods. The request is canceled if not matched.
For preflight requests, this is matched against
Access-Control-Request-Method.For actual requests, this is matched against
details.method. -
ACAHArray of values allowed to be present in the
Access-Control-Allow-Headersheader in preflight responses.
{
"font": {
"*": {
"*": {
"*": {
"ACAO": "star",
"ACAC": false,
"ACAM": ["GET"]
}
}
}
}
}
- gorhill for uBlock Origin and uMatrix
- earthlng and Thorin-Oakenpants for the ghacks-user.js project.
- crssi for opening the issue on the ghacks-user.js project, bringing the Origin header leak to attention.
- claustromaniac for his Privacy-Oriented Origin Policy project, which is the first extension I came across that attempts to close the
Originheader leak.
The MIT License (MIT)
Copyright (c) 2019-2020 tartpvule
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.