Resource response is visible in devtools even when "CORS Missing Allow Origin" is triggered
Categories
(DevTools :: Netmonitor, defect)
Tracking
(Not tracked)
People
(Reporter: karlcow, Unassigned)
References
()
Details
Attachments
(1 file)
blink devedge left, safari tech preview center, firefox nightly right
- Open devtools on Network Panel
- Load https://s3.eu-west-1.amazonaws.com/hacker-secure-cookie-2.io/sop/lab2_embedding.html
- choose in the network Monitor results, the line for sample.json
- Click on the response panel
Expected:
Not accessible.
Actual:
The content of the file is visible.
I'm not sure it's a real issue. The reporter on webcompat seems to be concerned that the response is visible in the devtools, but it doesn't mean that the initial server has access to the data.
That was reported on https://webcompat.com/issues/72813
|
||
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
Thanks for reporting Karl.
We are currently working on this issue in Bug 1671147.
We are looking at showing a notification in this cases.
Please feel free to have a look and add any suggestions
on the solution.
Thanks
|
||
Comment 2•3 years ago
|
||
First I thought this security issue might have happened because the mentioned website's developer might have used both the Same origin policy and Cross Origin Resource Sharing (as seen here:https://secure-cookie.io/fundamental/cors/). However, after seeing the comments on webcompat I could see that this is only affected in Firefox..so could be something else..
Description
•