vitvad / access-control-allow-origin Goto Github PK

When the browser is restarted, the extension stops working until the settings window is opened. The reload function is executed when the extension is first installed or the window is opened. It should also be executed when Chrome is opened – perhaps by listening for the chrome.runtime.onStartup event?

Hi, I got everything working except "patch" method. Is there any problem with this or should I do something special?

Thanks for your time.

Can be useful

I'm receiving errors like this on a recent version of chrome:

The 'Access-Control-Allow-Origin' header contains multiple values 'https://example.com, *', but only one is allowed. Origin 'https://example.com' is therefore not allowed access.

This also breaks pages that worked before the extension is enabled, in addition to failing to disable security for the pages that need it.

For instance, pattern http://www.example.com/* matches the xhr but returns 404.

The full url is http://www.example.com/v1/something-more?blah=vblah

I get 404 because I see in devtools/Network that the requested url is changed to http://localhost:3300/undefined/something-more?blah=blah.

• It shouldn't be localhost:3300, this is the url of the app and not the requested url!
• Also the undefined is another mistake that doesn't make any sense.

Any help is appreciated.

So I had little bit time on this week end and merge some pull requests.
Seems I finally start realize how I want to improve extension.

First of all I want keep switching on/off states as simple as is now. So maybe better get rid from popup page suggested by @mhahmadi . Instead settings have to move to options page available through context menu on extension icon or in through extension list page in chrome.

features:

• edit and override headers for response (request) before sending to server on settings page.
• auto-responder to specified url request (functionality like in fiddler ) - will be good to debug 404/403/500 etc. or mock response
• settings page had to have tabs (settings, info tab with CORS related info resources)

as for current code:

• I want get rid from jQuery... no sense use it for $.isArray and .parents() method...
• Angular seems will be good to described functionality above, but I not really want use third party frameworks like Ionic or any other.
• tried to rewrite code and add tests will release 'dev' branch soon. (fortunately don't know how to run tests in chrome (maybe karma will help, but also want availability to turn on/off extension due tests running ))

@mhahmadi, @thegecko open to ideas. lets proceed conversation here.

I just tried to add userscript using backbone to github.com and failed, because of "script-src 'unsafe-eval' assets-cdn.github.com collector-cdn.github.com". Hope that in future extension can be able rewrite Content-Security-Policy.

https://en.wikipedia.org/wiki/Content_Security_Policy

https://github.com/rerun-io/.github/issues/8#issue-1806373351

@vitvad I'd be interested in helping move this project forward, any chance I could get access to help?

Hi,

Great extension but I'm unable to use it currently because the API I am using deals with custom headers.

Could Access-Control-Allow-Headers be set to "*" whilst the extension is active, too?

Cheers

I´d like to use the extension on specific websites like https://example.com or have it active on specific site. Do you know how?

I've had a couple of issues when "Access-Control-Expose-Headers" is enabled and were immediately fixed when disabled.

I started using the extension for a project I am working on. Discovered that it causes an error if it is on while I am on Facebook. A window pops up saying "Something went wrong. Please try closing and reopening your browser window." The message can be closed and the site still works though sometimes it stops working.

There is also this text that shows up on the page:
Response contained invalid JSON. Reason: Unexpected token o in JSON at position 1 for (;;);{"__ar":1,"error":1357004,"errorSummary":"Sorry, something went wrong","errorDescription":"Please try closing and re-opening your browser window.","payload":null,"bootloadable":{},"ixData":{},"gkxData":{},"lid":"6548430904423846021"}

Any ideas on how to fix this? I imagine it happens on other sites too but Facebook is the first time I've seen it in the 12 hours that I have been using the extension. It can be fixed by turning off the extension but I don't really want to toggle it each time I need it or don't need it.

I am interested in trying to fix this but I am not sure I have the time/experience with this tech.

Hey again.

The extension doesn't seem to be setting Access-Control-Expose-Headers for response headers, as such any custom response headers cannot be accessed. Chrome instead throws error messages, for example:

Refused to get unsafe header "Date"
Refused to get unsafe header "X-Some-Header"

Cheers

Could you please add removal of original "Access-Control-Allow-Origin" header before adding "Access-Control-Allow-Origin: *".

Without that fix I have the following error:

XMLHttpRequest cannot load https://externaldomain.com. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost.localdomain:8080' is therefore not allowed access.

XMLHttpRequest cannot load https://externaldomain.com/path. The 'Access-Control-Allow-Origin' header contains multiple values 'https://localhost.localdomain, *', but only one is allowed. Origin 'http://localhost.localdomain:8080' is therefore not allowed access.

this is one error. Uncaught ReferenceError: angular is not defined

I've added "Link" to the Access-Control-Expose-Headers but it doesn't work because when I do res.xhr.getResponseHeader("Link") it returns following:

Refused to get unsafe header "Link"

I tried several different ways to specify the pattern that contains port number for example http://127.0.0.1:9000/ in my angular app, no luck so far any ideas?

Chrome still disallows cross domain ajax requests other than the first one when multiple cross domain ajax requests are being done asynchronously. Only the first request executed as expected.

*://*/* fixes the errors I'm having while running applications locally on http:/localhost:3003/, but it causes problems with other sites (github) so I'd like to limit it to localhost, but I can't get any pattern other than the above working.

None of these fix my issues on localhost, what gives?

*://localhost/*
*://localhost:*/*
*://localhost:3003/*
http://localhost/*
localhost/*
http://127.0.0.1/*
*://127.0.0.1/*
*://127.0.0.1:3003/*

Hi,

I was simply wondering why, since today's update, this extension requires you to send it all of your browsing data?

Thanks a bunch.

Hie, and thx for you r usefull application.

I ve an issue when i add a new url pattern, my new entry is just ignored and the old one (by default) is keeped.

Can you fix this please, it would be usefull?

Thx

Otherwise you get this error:

XMLHttpRequest cannot load https://r5---sn-cxab5jvh-cg0el.googlevideo.com/videoplayback?dur=16.901&lmt…ss=yes&cpn=30E7n7GFP1iKltGo&c=WEB&cver=1.20161219&range=0-7959&rn=1&rbuf=0. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'https://www.youtube.com' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.

Hi, I really like this extension and I use in many of my development, however, I don't get why there's a request with evil.com?

Need to check

For example, for the file: scheme, only onBeforeRequest, onResponseStarted, onCompleted, and onErrorOccurred may be dispatched.
API

So leaving on disabled (Default chrome setting)

If I restart browser it turns the requests on with green icon.

If someone could explain me how this works I would appreciate it.
Thanks

Is there any chance you can add some open-source compliant license to this repo?

Great extension, by the way!

Nice chrome extension, but one suggestion:

Change chrome.storage.local to chrome.storage.sync to sync URL between your clients/browsers.

Thanks,
Timo

Being enabled, it seems it's not working as expected.

Any idea?

Hi, I have tried using a plugin, and I observe an issue, that cookies parameter is missing from request headers.

In case I use --disable-web-security flag Cookies parameter is on place.

Thanks.

See https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en

It says "Allow-Control-Allow-Origin", but should be "Access-"!!

Whenever you update your browser (or extension) it forgets settings.
This happens, because onInstalledevent fired on each browser or extension update.

Here docs: https://developer.chrome.com/extensions/runtime#event-onInstalled

Fired when the extension is first installed, when the extension is updated to a new version, and when Chrome is updated to a new version.

can be achieved by setting the Access-Control-Allow-Headers in the response.

I'm using this for development. When I need to make a request that has custom headers in it, chrome will make a preflight request that would fail with a 403 status code. Is it possible to handle this as well?

Double check with fidler