DPI -> HTTP Proxy -> HTTP Headers = CORS Missing Allow Origin
Hi everyone.
I've just enabled the HTTPS proxy for my PC to make some tests.
I encounter some difficulties with the HTTP (without S) headers, some webs are shown partially because the "CORS Missin Allow Origin" and then "NS_ERROR_DOM_BAD_URI" when the header is not match and the action is strip.
Is there a way to make it work correctly without allow all headers?
Will I have to put all the urls with "custom/strange" headers?
Thanks in advance.
0
Sign In to comment.
Comments
As you can see, if I add the "Access-Control-Allow-Origin:*" to my list of HTTP headers, its fetched and I can allow it. But I can't know what headers I will encounter in the future... Even more, what URI and headers my clients will encounter or webs that are partially/totally bad showing.
To guarantee that no web site will have issues related to blocked content of any kind - headers, content types, etc. then don't block them.
Otherwise, you have to occasionally change your block list to not block content which is needed from some web site to work as desired.
Another option is to have a list of HTTP web site domain names/IP addrs which are in a HTTP packet filter To: field instead of using a HTTP proxy for them.
The same goes for HTTPS web sites when you have Inspect enabled as the default. Some site just don't work with Inspect enabled - you have to add selected domain names to the Allow list - OR don't implement Inspect.
And, as above, one can have a list of HTTPS web site domain names/IP addrs which are in a HTTPS packet filter To: field instead of using a HTTPS proxy for them.
It is always a choice between easy and lower security, and harder (for the admin and/or the users) but higher security.
Thank you for your reply Bruce.
Seems I have to outline the URLs that usually I connect.