• Login
    • Search
    • Categories
    • Recent
    • Tags
    • Users
    • Groups
    • Rules
    • Help

    Do more on the web, with a fast and secure browser!

    Download Opera browser with:

    • built-in ad blocker
    • battery saver
    • free VPN
    Download Opera

    The ability for extension to tamper with Cross-Origin Resource Sharing (CORS) headers disables the Same Origin Policy (SOP) in Opera

    Opera for computers
    2
    4
    2750
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • doliere
      doliere last edited by

      We would like to bring into discussion an extension capability we thing represent a serious threat: that is the ability for an extension to manipulate CORS headers and make successful unauthorized cross-origin requests.

      Simply put, an application A makes an XHR request to B, which does not respond with any CORS headers. This means that normally, any data returned by B will not be delivered to A. Unfortunately, this is not always true. An extension in the browser can add the necessary CORS headers to the response, causing the data to be delivered to A.

      There are around 10% of extensions that have the necessary permissions (webRequest, webRequestBlocking, host permissions) to tamper with cross-origin requests/responses headers in order to authorized such unauthorized cross-origin accesses.
      The CORS Toggle extension ( https://addons.opera.com/en/extensions/details/cors-toggle/ ) is the only extension we found effectively tampering with CORS headers to allow cross-origin requests.
      This extension can potentially break legitimate CORS headers because of an misunderstanding of the CORS mechanism. It always changes or adds the value of the Access-Control-Allow-Origin response header to *. This has the consequence of breaking legitimate CORS headers with credentials.
      Installing this extension prevents you from playing youtube videos

      But we wanted to know how vendors consider the ability for extensions to manipulate CORS headers. To do so, we wrote the CORSER extension and submitted it for publication.
      We were surpised that CORSER successfully passed extension review process and is now a publicly available for download ( https://addons.opera.com/en/extensions/details/corser-authorize-cors-requests/ ). This was done only for research purposes, and the extension is not collecting any user information for us. However, if an attacker (say our A application) is aware of such extension being installed in the user's browser, then it can make successfull cross-origin requests to fetch any data from B, whatever B is: Gmail, Facebook, Twitter, bank application, etc.
      Doing so, we confirmed that tampering with CORS headers is considered benign from the point of view of browser vendors, despite the fact that such practice has the consequence of disabling the Same Origin Policy in browsers regarding cross-origin requests.

      We would like to know your thoughts about this particular extensions capability.
      As for us, we think that the ability for extensions to tamper with CORS and other security-critical headers (CSP, X-Frame-Options) must not be granted directly with permissions like webRequest and webRequestBlocking. We argue that tampering with such headers must be forbidden by default (as is the case for some requests headers such as cache headers) or extensions would have to request dedicated permissions in order to tamper with those headers. For instance, an extension that is willing to tamper with the Access-Control-Allow-Origin header would have to declare it in its permissions. This way, browser vendors can notify users about the fact that an extension that is being installed is requesting the capability to tamper with the declared CORS headers.

      Reply Quote 0
        doliere 1 Reply Last reply
      • doliere
        doliere @doliere last edited by

        Any comment about this issue ?

        Reply Quote 0
          1 Reply Last reply
        • burnout426
          burnout426 Volunteer last edited by

          Some Opera staff have been FYI'd about it, but that's all I know.

          Reply Quote 0
            doliere 1 Reply Last reply
          • doliere
            doliere @burnout426 last edited by

            @burnout426 Ok thanks !

            Reply Quote 0
              1 Reply Last reply
            • First post
              Last post

            Computer browsers

            • Opera for Windows
            • Opera for Mac
            • Opera for Linux
            • Opera beta version
            • Opera USB

            Mobile browsers

            • Opera for Android
            • Opera Mini
            • Opera Touch
            • Opera for basic phones

            • Add-ons
            • Opera account
            • Wallpapers
            • Opera Ads

            • Help & support
            • Opera blogs
            • Opera forums
            • Dev.Opera

            • Security
            • Privacy
            • Cookies Policy
            • EULA
            • Terms of Service

            • About Opera
            • Press info
            • Jobs
            • Investors
            • Become a partner
            • Contact us

            Follow Opera

            • Opera - Facebook
            • Opera - Twitter
            • Opera - YouTube
            • Opera - LinkedIn
            • Opera - Instagram

            © Opera Software 1995-