Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 21920 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9.0.7 breaks browser AJAX CORS support in Chrome, Firefox.

Ajax

Hi,

First, I hope this is posted in the correct place, apologies if not.

It seems like the, rather cryptically named, "Block malicious downloads from websites, protecting your Mac from obsfucated, polymorphic and zero-day threats before reaching your browser" in 9.0.7 - Web Protection breaks AJAX CORS support in Chrome and Firefox (but not Safari).

This has been seen on OS X10.7, 10.8 and possibly 10.9. 

Is this the actual intended behaviour of this feature or does it actually do anything else?


If it is just a way of disabling browser CORS support it would be really helpful if you'd just label it as such.  Even mentioning XSS would give a clue as to what Sophos is doing.

It would also helpful to mention what this feature does in the knowledge base as CORS headers can be fiddly to debug at the best of times.

AJAX CORS is a legitimate way to consume RESTful APIs in many thick client web application.

At the very least it would be nice it would respect proxy exceptions for intranet services and allow CORS to work for internal domains.

If it's a bug, then could you please open a ticket on it?

Thank you.

:46923


This thread was automatically locked due to age.
Parents
  • 0

    After spending about 11 hours on this issue I can confirm that the bug (feature?) still exists in Sophos AV 9.0.11. I am using a Spring servlet as a REST API on a different domain than my client UI that makes the requests. I had the exact same problem as the OP when either of the security settings for web traffic were turned on.

    This must not only be a Sophos AV problem since my teammates had the same issue and they are running Windows with Kasperskey. The official CORS spec is revised as of this January so the major AV vendors are probably still changing their programs to suit the ever-changing technologies.

    :51092
Reply
  • 0

    After spending about 11 hours on this issue I can confirm that the bug (feature?) still exists in Sophos AV 9.0.11. I am using a Spring servlet as a REST API on a different domain than my client UI that makes the requests. I had the exact same problem as the OP when either of the security settings for web traffic were turned on.

    This must not only be a Sophos AV problem since my teammates had the same issue and they are running Windows with Kasperskey. The official CORS spec is revised as of this January so the major AV vendors are probably still changing their programs to suit the ever-changing technologies.

    :51092
Children
No Data