-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NOT AN ISSUE: Simple questions / help #2
Comments
@EstherMoellman Sorry for the late reply
The config is a JSON object
For example, to add a rule matching
Hope that explains it
At least, not "xmlhttprequest", but I have not tested all risky request types (e.g. "websocket") or the seemingly benign ones (e.g. "image" in conjunction with canvas shenanigans).
As I understand it, claustromaniac's addon was created to remove the (Details might be sketchy, I have not looked at claustromaniac's addon in a while) That bug I reported was that the safeguards were not sufficient, as plain xmlhttprequest GET requests without credentials are still dangerous. As illustrated in my POC, an attacker can use a visiting user's browser as a proxy to access the user's internal network. This can be used to roughly survey services in the network's topology (Transmission bittorrent client's web interface comes to mind), find out the make and model of the home router (e.g. GET 192.168.1.1 and compare the login page with a database), and more. From a cursury reading of the extension's source code today and the fact that the issue is still open, I would say that "aggressive mode" is still hazardous. You will not find page breakages from using "aggressive mode", but a page specifically coded to take advantage of the security hole will be able to use your browser as a limited proxy. As the extension is not popular I would not expect to find such specially crafted malicious websites outside of targeted attacks today.
Useful in the same way spoofing The crux of it is that, unlike privacy extensions like adblockers that only deny websites something, meddling with CORS headers can result in giving websites (potential attackers) more information than they would otherwise be able to access. Be very careful writing a rule for my extension (CCC), the warning P.S. Spotted several documentation errors while writing this, fixed them. |
Hi @tartpvule !
Firstly, thank you for your CCC' add-on. I found it after reading your conversations with @claustromaniac.
I'm a newbie trying to understand a little about CORS. So please, be patience with my ignorance.
It is not my intention to become a CORS' expert. So honestly, I have no interest on reading a lot about it.
However, I would like to prevent my browser from leaking information to third parties.
And now, I'm trying to compare your add-on with @claustromaniac' add-on.
Please:
At CCC, if I want to test other "request type" (beacon, csp_report, image, main_frame etc), is it enough if I copy/paste the CCC' default rule, and I change "font" to the request type I want to test? Or do I need to add something else for different request types?
What about the "{" and "}"? If I want to test more than one request type at the same time, how do I write a rule containing more than one request type? Where to put the "{" and "}"?
Besides "font" (default), what else do you consider safe to be included as a rule?
I tested the "aggressive mode" at @claustromaniac' add-on, and haven't found any apocalypse (in simple words, not a lot of web-page breakages for me). However I read your explanation about how this might be dangerous (exploited). In the other hand, a year already has passed since the launch of your and @claustromaniac' add-ons, sadly both add-ons didn't become famous... and I ask you: Today, have you changed your opinion about the "aggressive mode"? Are you still against the aggressive mode? Or today, in real world, "aggressive mode" is useful?
Thank you in advance!
The text was updated successfully, but these errors were encountered: