Skip to content

Firefox extension that prevents sending Origin headers when they are least likely to be necessary, to protect your privacy.

License

Notifications You must be signed in to change notification settings

claustromaniac/poop

Folders and files

NameName
Last commit message
Last commit date

Latest commit

125cf59 Β· Dec 22, 2018

History

34 Commits
Dec 22, 2018
Dec 21, 2018
Dec 19, 2018
Dec 19, 2018
Nov 29, 2018
Dec 21, 2018
Dec 20, 2018

Repository files navigation

πŸ”΅ What is this?

An extension for Firefox that gives users a safe degree of control over CORS requests, with the specific goal of preventing the browser from leaking unnecessary information.

πŸ”΅ What is CORS?

CORS stands for Cross-Origin Resource Sharing. In short, it is a mechanism used for bypassing the same-origin policy safely.

Wikipedia β–ͺ MDN β–ͺ W3C

πŸ”΅ What is the same-origin policy?

It is a standard that has been widely adopted for many years. From the client's perspective, it denies access to resources when these are requested by other resources that were fetched from a different location. Such requests are known as cross-origin requests.

The same-origin policy is an effective security measure against both XSS and XSRF.

Wikipedia β–ͺ MDN

πŸ”΅ How does CORS work?

Every time the browser makes a cross-origin request, it adds an Origin HTTP header to it, which tells the server the location of the resource that made the request. After the server parses that header, it decides whether to allow or deny access to its resource from that location. If access is allowed, the sever adds an Access-Control-Allow-Origin header to the response, indicating so. The most common values are:

  1. <origin>: this is the scheme+hostname+port (https://www.example.org:8080) of the resource that is allowed access.
  2. *: this means the resource is public. It can be accessed from anywhere as long as the request does not include credentials.
  3. null: in practice, this denies access to the resource, but this way is discouraged. The recommended way is to not include an Access-Control-Allow-Origin header at all.
  4. no header: access is denied.

When the client reads the response headers, the request succeeds or fails based on the presence or absence of the Access-Control-Allow-Origin header (and its value). If the request did not include credentials, it only succeeds if the value of that header corresponds to either #1 or #2 (as listed above). If it did include credentials, the value must correspond to #1.

πŸ”΅ How does this extension work?

It has two main modes of operation: aggressive and relaxed.

  • The aggressive mode quite simply alters all GET requests that include an Origin header. This has the potential to break many websites, which is why the extension also allows more fine-grained control via other options like a whitelist and exclusions.
  • The relaxed mode uses heuristics to guess which GET requests can include credentials, and excludes those automatically. This is the default mode because it is the easiest way to prevent breakage, but since it relies on heuristics, it is by no means perfect. I recommend you to try out the aggressive mode and whitelist sites when needed instead.

When this extension decides to alter a request (after passing it through all the filters), that request is modified as follows:

  1. The Origin header is removed from it.
  2. Since there is no Origin header, the server's response most likely does not include an Access-Control-Allow-Origin header either, which would normally cause it to fail. To prevent that, this extension injects an Access-Control-Allow-Origin: * header into that specific response.

πŸ”΅ Is this safe?

Yes. At worst it will break website functionality, but there are various built-in ways to circumvent that.

πŸ”΅ Why P.O.O.P.?

Because I'm but a lowly hacker-wannabe and I don't want to raise anyone's expectations if I can avoid it. Plus, it was easy to come up with, and it is just as easy to remember.

πŸ”΅ Dat icon is tacky AF

Deal with it.

Just pretend it's ice cream or something.

πŸ”΅ Privacy

This extension is meant to protect your privacy, not just respect it.

Since you're on Firefox and you seem to care about your privacy, I might as well recommend you to take a good look at this project, which is where this extension was first conceived.

πŸ”΅ Acknowledgments

  • Big thanks to crssi for bringing attention to this previously overlooked tracking vector, for all the help testing, and for all the feature suggestions. If not for him, the extension would still be the half-assed solution I first came up with, because I'm quite the lazy bum.
  • Other alpha/beta testers (in no particular order):