Closed Bug 1650844 Opened 4 years ago Closed 4 years ago

CORS without Allow-Origin still shows response in network inspector

Categories

(DevTools :: Netmonitor, defect)

Product:
DevTools
Component:
Netmonitor
Version:
78 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: kaushalpatel02021996, Unassigned)

References

Details

Attachments

(1 file)

Mozilla.docx
199.97 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
Attached file Mozilla.docx

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Steps to reproduce:

  1. I made cors poc for one website. which website don't configure with "Access-Control-Allow-Origin".
  2. I didn't get response on web. But i get response in inspect.

Actual results:

Browser block my request due to CORS missing allow origin. But it show response data in inspect.

Expected results:

If properly CORS missing allow origin set then I am not able to see response data in inspect too.

Version 78.0.1

There's no way to not make the request - it's a GET request, the spec does not require an OPTIONS request first, and so the only way to see if the request will happen is to actually make it and then evaluate the response headers.

Whether the response is displayed in devtools isn't a security issue - if an "attacker" has access to devtools we have worse problems.

Whether it's confusing is something else. Perhaps we should display an overlay of sorts, indicating the response is not available to the page, with a button to 'show anyway' or whatever.

Group: firefox-core-security
Component: Untriaged → Netmonitor
Product: Firefox → DevTools
Summary: CORS missing allow origin → CORS without Allow-Origin still shows response in network inspector

Agreed, this is just for inspection and we correctly show that the request was blocked. As Gijs said, GET CORS blocking happens on responses.

If we can better annotate the response as "not available to scripts", we can open another bug for that.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX

I don't see response in devtools in other browser like Microsoft EDGE and google chrome. So i reported bug.

(In reply to :Harald Kirschner :digitarald from comment #2)

If we can better annotate the response as "not available to scripts", we can open another bug for that.

I filed a follow up for this Bug 1651006 - Indicate that a response is not available to scripts

Honza

OK Thank you

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: