CyberTech

Level 22
Verified
Privacy-Oriented Origin Policy is anew browser extension for the Firefox web browser that blocks Firefox from sending Origin headers under certain circumstances.

To understand what Privacy-Oriented Origin Policy does, it is necessary to understand how the same-origin policy and cross-origin resource sharing works.

The same-origin policy is a security model that restricts access to resources, e.g. JavaScript scripts, based on the origin (made up of scheme, hostname, and port); this is done to prevent cross-site scripting and cross-site request forgery attacks.

Cross-Origin Resource Sharing bypasses the same-origin policy so that other sites may request resources protected by the same-origin policy.



When a browser makes a cross-origin resource request, it adds a reference to the HTTP header that includes the origin that triggered the request. In other words: it tells the server the request is made to that you came from a certain domain, e.g. https://www.example.com:8080.

Privacy-Oriented Origin Policy may modify these requests to block the information from being revealed to the site the CORS request is made to.

The extension comes with several modes of operation; the default mode, relaxed, relies on heuristics to determine whether it is save to strip the origin header. Aggressive mode on the other hand strips all origin headers. Both modes work on GET requests only.

Relaxed mode won't remove the origin header if the request includes cookies, authorization header, or username, password, query, or hash data in the URL.

Some sites, often those that use cross-origin resource requests for legitimate purposes, may break when the extension is used as requests may fail if the origin header is not sent with requests.

Privacy-Oriented Origin Policy comes with options to whitelist domains. If you notice breakage, e.g. some site functionality is not available when the extension strips the Origin header, then you may add it to the whitelist to allow requests on that domain.



The settings give you even more control over the process:
  • Change the global mode (aggressive or relaxed).
  • Enable overrides, e.g. using aggressive on certain sites or whitelisting sites.
  • Select types of requests, e.g. font or stylesheet, that you want handled in relaxed mode like in aggressive mode.
  • Exclude root domain matches, to allow requests between non-www and www domains that share the same root, e.g. example.com and www.examplec.om
  • Exclude requests using patterns.
Closing words and verdict
Privacy-Oriented Origin Policy is another browser extension that attempts to improve user privacy by restricting built-in functionality. It requires a bit of trial and error to make sure that essential features don't break because of it.

Firefox users who use uMatrix, uBlock Origin, NoScript or other content blockers that can block third-party requests offer an alternative.

Homepage: Privacy-Oriented Origin Policy

Source: Privacy-Oriented Origin Policy for Firefox - gHacks Tech News