Hi,
First, I hope this is posted in the correct place, apologies if not.
It seems like the, rather cryptically named, "Block malicious downloads from websites, protecting your Mac from obsfucated, polymorphic and zero-day threats before reaching your browser" in 9.0.7 - Web Protection breaks AJAX CORS support in Chrome and Firefox (but not Safari).
This has been seen on OS X10.7, 10.8 and possibly 10.9.
Is this the actual intended behaviour of this feature or does it actually do anything else?
If it is just a way of disabling browser CORS support it would be really helpful if you'd just label it as such. Even mentioning XSS would give a clue as to what Sophos is doing.
It would also helpful to mention what this feature does in the knowledge base as CORS headers can be fiddly to debug at the best of times.
AJAX CORS is a legitimate way to consume RESTful APIs in many thick client web application.
At the very least it would be nice it would respect proxy exceptions for intranet services and allow CORS to work for internal domains.
If it's a bug, then could you please open a ticket on it?
Thank you.
This thread was automatically locked due to age.
