balvin-perrie / access-control-allow-origin---unblock Goto Github PK

You can unblock CSP by the same way.
CORS uses Access-Control-Allow-Origin.
CSP uses content-security-policy, content-security-policy-report-only, x-webkit-csp, x-content-security-policy

Sending credentials (cookies in my case) is not working when extension is enabled in Firefox

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ‘https://...’ . (Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’).

All the default settings are set:
Access-Control-Allow-Origin: ''
Access-Control-Allow-Methods: 'GET, PUT, POST, DELETE, HEAD, OPTIONS, PATCH'
Access-Control-Allow-Methods: ''
Access-Control-Allow-Credentials: 'true'
Access-Control-Expose-Headers: '*'

From what I could see, it is possible only to select from the predefined methods. Is it possible to type in our own custom method names (eg. XMETHOD)? I ask because there's a site that uses non-standard methods, and these are the ones to which I need access.

Thanks!

A request fails if access-control-allow-credentials is set to true and access-control-allow-headers is set to *.

Settings:

Response:

Chrome error message:

Access to XMLHttpRequest at 'URL' from origin 'https://localhost:9000' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

How to enable CORS to resolve the follow issue .
Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
below is the error message i am getting .
Access to XMLHttpRequest at 'http://167.254.204.232:9890/vnfpkgm/v1/vnf_packages' from origin 'http://app-ui-dev-env-venkateshc01.167.254.204.183.nip.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status

Hi,
I'm using Chrome 80.0.3987.132.

I'm trying to load a local html/javascript file that reads data from a remote server.
I get this error:

Access to XMLHttpRequest at 'https://www.calflora.org/app/userdata' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I'm using CORS unblock with WEBDAV (https://tools.ietf.org/html/rfc2518). I need it to enable the following http methods, taken from rfc2518 section 8

• PROPFIND
• PROPPATCH
• MKCOL
• GET
• HEAD
• POST
• DELETE
• PUT
• COPY
• MOVE
• LOCK

and headers, taken from section 9 "9 HTTP Headers for Distributed Authoring"

• DAV
• Depth
• Destiation
• If
• No-tag-list
• tagged-list
• lock-token
• overwrite
• status-uri
• timeout

In fact, I don't need all of those personally. But if possible, I'd like to be able to configure the CORS manipulation in the addon myself somehow. Is that possible?

Override Preflight Response code to 200 to allow certains CORS Request to pass

First of all, thanks for the good work! The plugin helped me a lot to test my scraper.

As a feature request, it would be nice to enable/disable the plugin on a per-site basis. For instance, I had it enabled globally, forgot about it and them ran into trouble with Google Drive (strange errors while uploading).

I want to add a URL to the white list for the exception that will affect this add-on.

Thanks for the useful extension!

It would be great to have support for sending cookies with the proxied requests.

Right now, if you're hitting an endpoint on a domain on which you have cookies, the request will not contain cookies for that domain

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
string "*" can't be used in a response if web code uses XMLHttpRequest.withCredentials.

            'value': prefs.methods.length === self.DEFAULT_METHODS.length ? '*' : prefs.methods.join(', ')

should be changed to

            'value': prefs.methods.join(', ')

or somehow interlocked with "Access-Control-Allow-Credentials: true" rule

Thank you for this great extension!
This extension works perfect for most websites. But it seems some websites also checks origin and referer in the HTTP request header.
Is it possible to add an option to overwrite these 2 values in request header?
For example, if sending a request to https://example.com/sub/a.html, then rewrite the request header to:

origin: https://example.com
referer: https://example.com/sub/a.html

so that the request can be unblocked.
Thanks!

It would be nice to have only code to be usable between many projects without any storage and icons.
Maybe as Github gist or file in repo.

I can't upload any media to Twitter when the extension is both enabled in Firefox's settings and its toolbar.

The Network tab in F12 tools shows that the uploads are blocked with CORS No Allow Credentials error.

Firefox versions: 93.0b6 and 93.0b7 (both Developer Editions)

This is most probably also related to #3 - Access-Control-Allow-Credentials doesn't work at all, either checked or unchecked.