Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 21925 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9.0.7 breaks browser AJAX CORS support in Chrome, Firefox.

Ajax

Hi,

First, I hope this is posted in the correct place, apologies if not.

It seems like the, rather cryptically named, "Block malicious downloads from websites, protecting your Mac from obsfucated, polymorphic and zero-day threats before reaching your browser" in 9.0.7 - Web Protection breaks AJAX CORS support in Chrome and Firefox (but not Safari).

This has been seen on OS X10.7, 10.8 and possibly 10.9. 

Is this the actual intended behaviour of this feature or does it actually do anything else?


If it is just a way of disabling browser CORS support it would be really helpful if you'd just label it as such.  Even mentioning XSS would give a clue as to what Sophos is doing.

It would also helpful to mention what this feature does in the knowledge base as CORS headers can be fiddly to debug at the best of times.

AJAX CORS is a legitimate way to consume RESTful APIs in many thick client web application.

At the very least it would be nice it would respect proxy exceptions for intranet services and allow CORS to work for internal domains.

If it's a bug, then could you please open a ticket on it?

Thank you.

:46923


This thread was automatically locked due to age.
Parents
  • 0

    Hi Ajax,

    If you are a Sophos customer could you please call support so that we can try and diagnose this issue?

    I asked internally for sme information on what you are seeing and received the following:

    There is certainly nothing in the code that specifically does anything special with AJAX CORS although if the browser does something with the additional HTTP methods that CORS will produce then its possible that the filter in SAV could see issues.

    The fact that the Ajax says this is only an issue on Chrome and Firefox, but not on Safari, indicates that the preflight interpreters for the CORS methods are different between those browsers, and so the traffic could be slightly different as well.

     

    To investigate this then we would need an example site to go to that generates the issue, or a tcpdump from the customer on Chrome (where it breaks), and on Safari (where it succeeds).

     Darren.

    :46965
Reply
  • 0

    Hi Ajax,

    If you are a Sophos customer could you please call support so that we can try and diagnose this issue?

    I asked internally for sme information on what you are seeing and received the following:

    There is certainly nothing in the code that specifically does anything special with AJAX CORS although if the browser does something with the additional HTTP methods that CORS will produce then its possible that the filter in SAV could see issues.

    The fact that the Ajax says this is only an issue on Chrome and Firefox, but not on Safari, indicates that the preflight interpreters for the CORS methods are different between those browsers, and so the traffic could be slightly different as well.

     

    To investigate this then we would need an example site to go to that generates the issue, or a tcpdump from the customer on Chrome (where it breaks), and on Safari (where it succeeds).

     Darren.

    :46965
Children
No Data