Open Bug 1565220 Opened 6 years ago Updated 3 years ago

Local websites don't work anymore with 68.0 (Cross-origin elements require CORS)

Categories

(Core :: DOM: Security, enhancement, P4)

Product:
Core
Component:
DOM: Security
Version:
68 Branch
Type:
enhancement

Tracking

()

People

(Reporter: it, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362

Steps to reproduce:

Opened one of our many Help Websites that are all in a seperate subfolder.
They do not run on a webserver. We ship this help websites with our Programms.
So the users just have to click the index.html site get a help Website.

Actual results:

When i open the index.html the console says:
Cross-origin elements require CORS

Expected results:

Except files in the same folder and it's subfolders as same origin.

hi, this is perhaps fallout due to this privacy/security fix in firefox 68: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730

you could try to change privacy.file_unique_origin to false in about:config, restart firefox and see if this can make a difference (please note that this makes you vulnerable to the described security problem though).

Yes, that works. Thanks.

But i don't think that was a bug of firefox. It's more a bug of the chat/mail programm .
But that's not my Problem to discuss.

Maybe it is possible to have a whitelist.
So we could say as a company that all files in "C:\someFolder*" are treated the old way.
So we don't have to kill the CORS for all folders.

btw: does "privacy.file_unique_origin" only disable cors for the local files, or also for normal websites?
We only want the local files to get not checked against cors. The Internet https files should be tested normaly.

If it is only for the local files, then we don't mind to turn it off.

best regards

afaik the preference will only disable CORS for the file://-protocol

Thanks. Then it's ok for us.

But it would be nice to have a group policy about that.
In the newest policy templates, there is no switch for this about:config entry.

Or it would be nice just to have an open policy entry where you could insert a json like that:

{
"privacy.file_unique_origin": false,
"app.update.channel":"aurora",
...
}

Then we don't need an policy switch for every about:config entry.

Hi,
Will change the status, to new and type to enhancement, will set the product to Core and Component to Core: core & html, feel free to change it if this is not correct.

Type: defect → enhancement
Component: Untriaged → DOM: Core & HTML
Flags: needinfo?(it)
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: DOM: Core & HTML → DOM: Security
Blocks: CVE-2019-11730
Priority: -- → P4
Whiteboard: [domsecurity-backlog]

Clear a needinfo that is pending on an inactive user.

Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.

For more information, please visit auto_nag documentation.

Flags: needinfo?(it)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.