Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CORS false-positive in Chrome 71 #616

Merged
merged 1 commit into from
Nov 8, 2018
Merged

fix: CORS false-positive in Chrome 71 #616

merged 1 commit into from
Nov 8, 2018

Conversation

lidel
Copy link
Member

@lidel lidel commented Nov 8, 2018
edited
Loading

This PR restores this workaround for localhost API and closes #615. It also adds regression tests.

(Fast tracking as this needs to land in Beta and Stable)

@ghost ghost assigned lidel Nov 8, 2018
@ghost ghost added the status/in-progress In progress label Nov 8, 2018
@lidel lidel merged commit 01e72f2 into master Nov 8, 2018
@ghost ghost removed the status/in-progress In progress label Nov 8, 2018
@lidel lidel deleted the fix/cors-chrome-71 branch November 8, 2018 13:10
lidel added a commit that referenced this pull request Nov 8, 2018
@lidel
chore: v2.6.0.12060 (Beta) v2.6.1 (Stable)
f008b09 
Fast-tracked bugfix release for
#616
@lidel
Copy link
Member Author

lidel commented Nov 8, 2018
edited
Loading

To clarify, our current approach is to remove Origin: null from requests made to API URL by js-ipfs-api running in WebExtension context.

This removes the need for users to add Access-Control-Allow-Origin: null to go-ipfs config, which is better for UX, but remains controversial:

It may seem safe to return Access-Control-Allow-Origin: "null" , but the serialization of the Origin of any resource that uses a non-hierarchical scheme (such as data: or file: ) and sandboxed documents is defined to be "null". Many User Agents will grant such documents access to a response with an Access-Control-Allow-Origin: "null" header, and any origin can create a hostile document with a "null" Origin. The "null" value for the ACAO header should therefore be avoided.

The simple string comparison of CORS as applied to "null" is controversial. Some believe that "null" should be treated as a keyword token indicating the lack of an Origin, which, when tested, should never compare as equal to another "null" Origin. (As is the case with null values in SQL, for example.) It is unwise to build systems which rely on the "null" equals "null" comparison as this behavior may change in the future.

https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null

@lidel lidel mentioned this pull request Nov 16, 2018
Closed
@lidel lidel mentioned this pull request Jan 2, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@lidel lidel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Can't Connect to Local Node in Chrome with Beta versions v2.5.1.11970 or v2.5.1.12010
1 participant
@lidel