I could be off on this one, so please forgive me if so...
According to this article:
Web browsers have the ability to allow remote web servers access to local network resources... ie localhost on the browsing computer, and potentially other network devices behind the browser. It's enabled by default and there's no UI interface to disable it.
This was news to me and is a bit terrifying. Why in the world would anyone ever allow a remote site to bounce commands through their browser to other devices internally... presumably protected by a network firewall to prevent exactly that?!?!?!
Can someone explain this to me? When I google "disable CORS", it appears as though that would make it more open and less secure. I want to disable the capability outright.
I found one mention of a possible answer at: that references "content.cors.disable", but I can't find a mention of that setting anywhere else, and the link doesn't expand on exactly what it does. The name sounds like what I want, but I don't want to make that assumption and end up making things worse.
If anyone can shed light on this, it would be appreciated. If this is the wrong forum, please let me know which SE site I should post it to.
Thank you
1 Answer
The article you read was written in a sensational manner and is only new in its degree of sensationalism. In effect, browsers are pretty well secured against external attack, and local resources are very well protected.
Cross-Origin Resource Sharing (CORS)already exists on all the major browsers, defined as:
a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
This means that an innocent-looking advertisement on Amazon cannot use JavaScript to download code from a malicious third-party site.
You will find more information in the Mozilla articleCross-Origin Resource Sharing (CORS)as to which are the restrictions on accessing third-party websites.
The article you saw talks about Chrome tightening CORS further than it is today. If you disable CORS, you will open your browser wide open to such attacks, which is the opposite of your wish.
If you wish to improve further the protection against malicious JavaScript, you may use an extension such as NoScript that disallows the execution of all JavaScript from websites that have not been white-listed manually by yourself.
2