Firefox WebExtensions and Cross-domain privileges - firefox

I am trying to port a chrome extension to firefox using the relatively new WebExtensions from Firefox.
I always getting the following error
Cross-Origin Request Blocked:
The Same Origin Policy disallows reading the remote resource at .... (Reason: CORS header 'Access-Control-Allow-Origin' missing)
I added the website i would like to access to the permissions section inside the manifest.json like explained on the website, and also on Google Chrome its working.
Normally it should work that way, at least its explained that way on https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_scripts#Cross-domain_privileges
I would be very thankful for any help since I am out of ideas.

manifest.json
{
...
"permissions": [
"<all_urls>"
]
}

I think you need to add a CSP header to your HTML page. http://content-security-policy.com/ I had to add one to get mine to work with a similar warning.

Related

cypress iframe function works on chrome but not firefox

I'm trying to run a test that involves iframes with firefox. The test works with chrome but not with firefox. It seems that when I get the iframe and subsequently try to find the body the body is returned as undefined.
Timed out retrying: Expected to find element: undefined, but never found it.
cy.get('iframe').then(($iframe) => {
const $body = $iframe.contents().find('body');
cy.wrap($body)
^
The html looks the same for firefox as it does for chrome. Does anyone know what the underlying issue is for that?
The most likely cause is the same origin policy.
In a nutshell, if the page loaded inside the iframe comes from a different domain than the parent page, then your javascript will not be allowed to access the DOM within the iframe.
The reason it is working for you on Chrome is likely because you have used this setting in your cypress.json config file to disable the same origin policy in Chrome:
"chromeWebSecurity": false
As of this writing (Nov 2020), Firefox sadly does not have an equivalent way to disable the same origin policy for testing purposes. The bug report is here.

Cross Site Access Not Allowed (using Django 2.1.5)

I am working on an app using Django 2.1.5 with DRF 3.9.1 and on firefox browser console, I am getting this error:
downloadable font: download failed (font-family: "FontAwesome" style:normal weight:400 stretch:100 src index:2): bad URI or cross-site access not allowed source: http://softpro-admin-templates.websitedesignmarketingagency.com/assets/vendor_components/font-awesome/fonts/fontawesome-webfont.woff?v=4.7.0
After some googling, I came across this link https://github.com/ottoyiu/django-cors-headers/
As mentioned in the document I have installed the package and made the following modifications in the settings file:
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware', #added at the top
-----
]
INSTALLED_APPS = [
'corsheaders',
]
But still, I am getting the same error. Can someone help me with this issue?
I'm assuming you're not the owner of softpro-admin-templates.websitedesignmarketingagency.com
Somewhere on your site, you're using fontawesome version 4.7.0 (A common icon font) but providing the above host as the source for this font. Due to CORS policies in most browsers, the host has to specifically allow this if the site the request originates from (yours) was fetched from a different domain (origin).
As the maintainer(s) of softpro-admin-templates.websitedesignmarketingagency.com likely don't know anything about your site, this hasn't been done. Change the src of fontawesome to your own server or the CDN suggested by fontawesome to solve this.

Firefox fails on CORS resource, while Chrome and Safari work

I have a seemingly correct resource backed by a CouchDB installation. Requests are made using JS Axios. Both Chrome and Safari work, Firefox 65.0 fails however with
CORS header 'Access-Control-Allow-Origin' does not match 'http://localhost:8080, *'
The server (CouchDB) does, in fact, not deliver
'http://localhost:8080, *' as Access-Control-Allow-Origin
but
Access-Control-Allow-Origin http://localhost:8080
Access-Control-Expose-Headers content-type, cache-control, a…e-newrev, x-couchdb-body-time
due to its configuration CORS accept requests from all domains ('*').
This, as mentioned, perfectly works for the other browsers. But fails for Firefox. I really don't seem to find the resason resp. a solution for this, and keep wondering where the additional '*' comes from that, Firefox wants to see.
#sideshowbarker thanks for the hint - indeed, the behaviour was due to an extension - namely this one https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors/ after disabling this extension cors worked as expected!

CORS issue from CloudFront to server for font

We are getting CORS issue for cloudfront to my site for FONT only.
Access to Font at 'http://d2v777xrj.cloudfront.net/assets/simple-line-icons/fonts/Simple-Line-Icons-ff94ad94c3a9d04bd2f80cb3c87dcccb.woff' from origin 'http://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access.
References (After looking into references, found these reference that worked for me. I didnt add any CORS on S3 bucket. Only Cloudfront accessing S3) [for your case change themes to assets]
https://deliciousbrains.com/wp-offload-media/doc/font-cors/
http://thelazylog.com/correct-configuration-to-fix-cors-issue-with-cloudfront/
Tried everything but nothing worked!
But the solution was very easy just two-step solution and nothing else.
Go to S3 Bucket->Permissions->Edit : Cross-origin resource sharing (CORS)->paste below configuration. In most of the other articles they are doing mistake of wrong header. you have to put "Origin" in AllowedHeaders.
[
{
"AllowedHeaders": [
"Origin"
],
"AllowedMethods": [
"HEAD",
"GET"
],
"AllowedOrigins": [
"http://www.yourdomain.com",
"https://www.yourdomain.com",
"https://yourdomain.com",
"http://yourdomain.com"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 3000
}
]
Go to Cloudfront->Behaviours->Default(*)->Edit
Change, Cache and origin request settings to : Use legacy cache settings
Change, Cache Based on Selected Request Headers to : Whitelist
Then, Add Whitelist Headers to : Origin [Only]
Cloud Front Added Origin Policy Recently. Updating the origin policy to s3origin worked for me as below once S3 was configured correctly.

Firefox content script not loading in some pages

Context
I am currently working on a browser extension which is working as expected with Chrome and Opera but I am facing issues with Firefox. Here is a minimal version of manifest.json needed to reproduce the problem:
{
"name": "Example",
"version": "0.0.1",
"author": "Pyves",
"content_scripts": [
{
"all_frames": true,
"matches": [
"<all_urls>"
],
"js": [
"content.js"
]
}
],
"manifest_version": 2
}
And here is the related content.js:
console.log("Content script loaded");
Issue
Content script loaded is systematically logged regardless of the visited page when using Chrome and Opera. Nevertheless, the content script doesn't seem to load in some pages when using Firefox, for instance raw GitHub pages such as the following:
https://raw.githubusercontent.com/badges/shields/master/README.md
There are no error messages in the Firefox console stating why the content script was not executed on that particular page.
Questions
Why is the Firefox extension unable to load the content script into some pages?
What changes need to be made so that the extension works consistently on all browsers?
I finally figured out why the extension's content script is not loading in some pages when using Firefox.
After analysing the requests with the Network developer tools, it turns out that the following headers are returned when getting GitHub raw pages:
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
According to the MDN Web Docs, the sandbox CSP directive has the following effect:
enables a sandbox for the requested resource [...]. It applies
restrictions to a page's actions including preventing popups,
preventing the execution of plugins and scripts, and enforcing a
same-origin policy.
Therefore Firefox is preventing extensions from executing content scripts in pages with the sandbox CSP, whereas other browsers such as Chrome and Opera do allow this behaviour. Related bug reports in Mozilla's Bugzilla (1267027 and 1411641) highlight that:
CSP 'sandbox' directive prevents content scripts from matching, due to unique origin
This issue has been acknowledged and will hopefully be fixed in future releases of Firefox.

Resources