From 2ffad2c58cd9db229d50c5c84ed1a66005df4ecd Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Mon, 26 Aug 2019 13:34:55 +0200 Subject: [PATCH] Document the cors-allowed-origin directive --- doc/source/p-config.sgml | 73 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml index ba974539..ce1c4ade 100644 --- a/doc/source/p-config.sgml +++ b/doc/source/p-config.sgml @@ -1983,6 +1983,11 @@ ACLs: permit-access and deny-access Requests are accepted if the specified trusted-cgi-refer is the prefix of the Referer. + + If the trusted source is supposed to access the CGI pages via + JavaScript the cors-allowed-origin + option can be used. + Declaring pages the admin doesn't control trustworthy may allow @@ -1997,6 +2002,74 @@ ACLs: permit-access and deny-access @@#trusted-cgi-referer http://www.example.org/local-privoxy-control-page]]> + + +cors-allowed-origin + + + Specifies: + + + A trusted website which can access &my-app;'s CGI pages through JavaScript. + + + + + Type of value: + + URL + + + + Default value: + + Unset + + + + Effect if unset: + + + No external sites get access via cross-origin resource sharing. + + + + + Notes: + + + Modern browsers by default prevent cross-origin requests made + via JavaScript to &my-app;'s CGI interface even if &my-app; + would trust the referer because it's white listed via the + trusted-cgi-referer + directive. + + + Cross-origin resource sharing (CORS) is a mechanism to allow + cross-origin requests. + + + The cors-allowed-origin option can be used to specify + a domain that is allowed to make requests to Privoxy CGI interface + via JavaScript. It is used in combination with the + trusted-cgi-referer + directive. + + + + Declaring domains the admin doesn't control trustworthy may allow + malicious third parties to modify Privoxy's internal state against + the user's wishes and without the user's knowledge. + + + + + + +@@#cors-allowed-origin http://www.example.org/]]> + + -- 2.39.2