New Update Privacy-Oriented Origin Policy for Firefox

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Privacy-Oriented Origin Policy is anew browser extension for the Firefox web browser that blocks Firefox from sending Origin headers under certain circumstances.

To understand what Privacy-Oriented Origin Policy does, it is necessary to understand how the same-origin policy and cross-origin resource sharing works.

The same-origin policy is a security model that restricts access to resources, e.g. JavaScript scripts, based on the origin (made up of scheme, hostname, and port); this is done to prevent cross-site scripting and cross-site request forgery attacks.

Cross-Origin Resource Sharing bypasses the same-origin policy so that other sites may request resources protected by the same-origin policy.

privacy-origin.png


When a browser makes a cross-origin resource request, it adds a reference to the HTTP header that includes the origin that triggered the request. In other words: it tells the server the request is made to that you came from a certain domain, e.g. https://www.example.com:8080.

Privacy-Oriented Origin Policy may modify these requests to block the information from being revealed to the site the CORS request is made to.

The extension comes with several modes of operation; the default mode, relaxed, relies on heuristics to determine whether it is save to strip the origin header. Aggressive mode on the other hand strips all origin headers. Both modes work on GET requests only.

Relaxed mode won't remove the origin header if the request includes cookies, authorization header, or username, password, query, or hash data in the URL.

Some sites, often those that use cross-origin resource requests for legitimate purposes, may break when the extension is used as requests may fail if the origin header is not sent with requests.

Privacy-Oriented Origin Policy comes with options to whitelist domains. If you notice breakage, e.g. some site functionality is not available when the extension strips the Origin header, then you may add it to the whitelist to allow requests on that domain.

origin-filters.png


The settings give you even more control over the process:
  • Change the global mode (aggressive or relaxed).
  • Enable overrides, e.g. using aggressive on certain sites or whitelisting sites.
  • Select types of requests, e.g. font or stylesheet, that you want handled in relaxed mode like in aggressive mode.
  • Exclude root domain matches, to allow requests between non-www and www domains that share the same root, e.g. example.com and www.examplec.om
  • Exclude requests using patterns.
Closing words and verdict
Privacy-Oriented Origin Policy is another browser extension that attempts to improve user privacy by restricting built-in functionality. It requires a bit of trial and error to make sure that essential features don't break because of it.

Firefox users who use uMatrix, uBlock Origin, NoScript or other content blockers that can block third-party requests offer an alternative.

Homepage: Privacy-Oriented Origin Policy

Source: Privacy-Oriented Origin Policy for Firefox - gHacks Tech News
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
Isnt decentraleyes doing the same if you enable 'block mode'
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top