#7269 closed change (rejected)

Do not rewrite preflight OPTIONS requests

Reported by:	mjethani	Assignee:
Priority:	Unknown	Milestone:
Module:	Platform	Keywords:	circumvention, closed-in-favor-of-gitlab
Cc:	sebastian, kzar, hfiguiere, agiammarchi	Blocked By:
Blocking:		Platform:	Unknown / Cross platform
Ready:	no	Confidential:	no
Tester:	Unknown	Verified working:	no
Review URL(s):	https://codereview.adblockplus.org/30002586/

Description

Background

When the browser wants to send a cross-origin request, it first checks with the server whether the server understands CORS using a preflight request. This is an OPTIONS request that the browser sends automatically. Once the server responds with the appropriate methods with the Access-Control-Allow-Methods header, the browser makes the actual GET or POST request.

When we rewrite a URL using the $rewrite option, we want to rewrite the URL for the actual GET or POST request, not the OPTIONS request, because if we do this the call fails and the site resorts to other ways to show ads.

What to change

In lib/requestBlocker.js, rewrite the URL only if the method is not OPTIONS.

Change History (5)

comment:1 Changed on 02/09/2019 at 11:29:03 AM by mjethani

Review URL(s) modified (diff)

comment:2 Changed on 02/09/2019 at 11:29:44 AM by mjethani

Cc hfiguiere added

comment:3 Changed on 02/10/2019 at 12:20:21 PM by mjethani

Cc agiammarchi added

comment:4 in reply to: ↑ description Changed on 02/10/2019 at 12:30:57 PM by mjethani

Replying to mjethani:

[...] if we do this the call fails and the site resorts to other ways to show ads.

I'm not sure about this actually, for the case that we are investigating.

Also, not rewriting the preflight OPTIONS request would leak information to the server, which is perhaps why the rewrite filter exists in the first place.

comment:5 Changed on 08/29/2019 at 05:43:18 PM by sebastian

Keywords closed-in-favor-of-gitlab added
Resolution set to rejected
Status changed from new to closed

Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.

Context Navigation

#7269 closed change (rejected)

Do not rewrite preflight OPTIONS requests

Description

Background

What to change

Attachments (0)

Change History (5)

comment:1 Changed on 02/09/2019 at 11:29:03 AM by mjethani

comment:2 Changed on 02/09/2019 at 11:29:44 AM by mjethani

comment:3 Changed on 02/10/2019 at 12:20:21 PM by mjethani

comment:4 in reply to: ↑ description Changed on 02/10/2019 at 12:30:57 PM by mjethani

comment:5 Changed on 08/29/2019 at 05:43:18 PM by sebastian

Add Comment

Modify Ticket

Changed by kzar

Download in other formats:

Summary:
Description:	You may use WikiFormatting here. === Background === When the browser wants to send a cross-origin request, it first checks with the server whether the server understands [https://developer.mozilla.org/en-US/docs/Glossary/CORS CORS] using a [https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request preflight request]. This is an [https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS OPTIONS] request that the browser sends automatically. Once the server responds with the appropriate methods with the `Access-Control-Allow-Methods ` header, the browser makes the actual GET or POST request. When we rewrite a URL using the `$rewrite` option, we want to rewrite the URL for the actual GET or POST request, not the OPTIONS request, because if we do this the call fails and the site resorts to other ways to show ads. === What to change === In `lib/requestBlocker.js`, rewrite the URL only if the method is not OPTIONS.
Type:		Priority:
Milestone:		Module:
Keywords:		Cc:
Blocked By:		Blocking:
Platform:		Ready:
Confidential:		Tester:
Verified working:
Review URL(s):	https://codereview.adblockplus.org/30002586/