Opened 7 months ago

Last modified 7 months ago

#7269 new change

Do not rewrite preflight OPTIONS requests

Reported by: mjethani Assignee:
Priority: Unknown Milestone:
Module: Platform Keywords: circumvention
Cc: sebastian, kzar, hfiguiere, agiammarchi Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

https://codereview.adblockplus.org/30002586/

Description

Background

When the browser wants to send a cross-origin request, it first checks with the server whether the server understands CORS using a preflight request. This is an OPTIONS request that the browser sends automatically. Once the server responds with the appropriate methods with the Access-Control-Allow-Methods header, the browser makes the actual GET or POST request.

When we rewrite a URL using the $rewrite option, we want to rewrite the URL for the actual GET or POST request, not the OPTIONS request, because if we do this the call fails and the site resorts to other ways to show ads.

What to change

In lib/requestBlocker.js, rewrite the URL only if the method is not OPTIONS.

Change History (4)

comment:1 Changed 7 months ago by mjethani

  • Review URL(s) modified (diff)

comment:2 Changed 7 months ago by mjethani

  • Cc hfiguiere added

comment:3 Changed 7 months ago by mjethani

  • Cc agiammarchi added

comment:4 in reply to: ↑ description Changed 7 months ago by mjethani

Replying to mjethani:

[...] if we do this the call fails and the site resorts to other ways to show ads.

I'm not sure about this actually, for the case that we are investigating.

Also, not rewriting the preflight OPTIONS request would leak information to the server, which is perhaps why the rewrite filter exists in the first place.

Note: See TracTickets for help on using tickets.