Broken CORS functionality with SOCKS5 proxy

[TriMoon]

When configured to use a SOCKS5 proxy for an address the web page doesn't work.

Example:

• Proxy (tor): SOCKS5 127.0.0.1 port 9050
• Site: https://www.atv.com.tr/canli-yayin and similar live TV sites.
• Rule: ^[a-z]+://[\w.-]*(radiantmediatechs|daioncdn)\.\w+/

Result in Firefox "Web Developers Tools":

• cdn.radiantmediatechs.com gets blocked with NS_ERROR_DOM_CORP_FAILED (and similar namespace errors for other sites that access URL's from within javascript)

---

[!NOTE] This same bug happens both in the old FoxyProxy-Standard from addons site, and this new v8 version...

Mozilla/5.0 (X11; Ubuntu; Linux x8664; rv:109.0) Gecko/20100101 Firefox/118.0 ID:20230915003051 (Latest snap version of Firefox on Kubuntu 23.04)_

[erosman]

Are you loading the page with a different proxy (or no proxy) and loading the cdn.radiantmediatechs.com with a different one?

https://searchfox.org/mozilla-central/source/xpcom/base/ErrorList.py#732-735

# Used to indicate that a resource with the Cross-Origin-Resource-Policy
# response header set failed the origin check.
# https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
errors["NS_ERROR_DOM_CORP_FAILED"] = FAILURE(1036)

[TriMoon]

@erosman

Are you loading the page with a different proxy (or no proxy) and loading the cdn.radiantmediatechs.com with a different one?

Yes indeed, i have many proxies setup for different groups of stuff, all of them use the same tor. The pages i visit, start without using any proxy, unless certain hosts are accessed. So in this case yes the web page is loaded without a proxy but the mentioned domain through the proxy.

IMHO, Using a socks proxy this way should have no influence on these...

[erosman]

The error appears to be a Firefox error relating to the Cross-Origin-Resource-Policy. Browsers restrict Cross-Origin Resource Sharing (CORS) for security reasons.

FoxyProxy has not control over CORS.

[TriMoon]

I understand that, but FoxyProxy is the cause of this CORS functionality breaking... So i don't know if it is your code or lacking functionality of firefox to allow extensions to function as a proxy WITHOUT breaking CORS...

Because, IMHO, if you as a proxy extension are not allowed to do this, then your whole reason for existence is in danger..

Do you have an idea for a "work-around" for this problem, beside disabling FoxyProxy or this rule?

[erosman]

Because, IMHO, if you as a proxy extension are not allowed to do this, then your whole reason for existence is in danger..

FoxyProxy has not control over CORS or user configuration that conflicts with CORS.

Do you have an idea for a "work-around" for this problem, beside disabling FoxyProxy or this rule?

Have you tried using the same proxy for the page and its components?

[ericjung]

Also try uninstalling FoxyProxy then use Firefox SOCKS5 settings instead. Same error?

[TriMoon]

The reason people use FoxyProxy is to have a dynamic proxy that adapts to addresses used, correct?

If i, as a user, need to use a fixed proxy for ALL-address, then why use FoxyProxy at all? :thinking:

[!WARNING] Bottom line: FoxyProxy BREAKS C.O.R.S.-functionality No matter if you have control over CORS or not, most webpages in this millenium make use of CORS, so it breaks MOST webpages when using the functionality of FoxyProxy to select a proxy based on address.

---

@ericjung

Also try uninstalling FoxyProxy then use Firefox SOCKS5 settings instead. Same error?

That defeats the purpose of having FoxyProxy... And ofcourse it will NOT give same error for obvious reason...

[ericjung]

That defeats the purpose of having FoxyProxy... And ofcourse it will NOT give same error for obvious reason...

It was requested as a test, not permanent solution, before I understood this is related to different ip addresses loading different domains on the same page.

[ericjung]

Also, note @erosman’s comment:

Have you tried using the same proxy for the page and its components?

if you do that, there should be no problem. Of course that is hard to do and one reason foxyproxy has the logging tab. But some sites can load from dozens of domains and it will be difficult to write rules for all of them for many sites. That’s why it might be easier to use a proxy for all URLs sometimes rather than patterns mode.

Also I suspect this is a socks-only problem. I don’t ever recall seeing this when using an HTTP proxy server.

[TriMoon]

@ericjung , tobe fair: If we need to set/use a single proxy for all pages, is there any need left to use FoxyProxy at all? :thinking: The single-proxy setting is already in Firefox by default...

[ericjung]

@ericjung , tobe fair: If we need to set/use a single proxy for all pages, is there any need left to use FoxyProxy at all? 🤔 The single-proxy setting is already in Firefox by default...

Yes. If you have more than one proxy, switching between them is tedious with native Firefox. This is exactly why there is FoxyProxy Basic - simple proxy switcher without patterns.

[erosman]

In addition to the convenience of switching, setting a single proxy direct via Firefox Network Settings has limitations:

• It is protocol based e.g. http proxy for http target (very old code from the early days) See also: Bug 1804693: Setting single proxy for all fails
• It is not possible to set HTTPS for all
• It is not possible to authenticate SOCKS 5

[TriMoon]

Well sorry, but i and im 100% sure MANY other users use FoxyProxy to SELECTIVELY change proxy based on address requested.

So if FoxyProxy is now breaking CORS, just because it proxies the request via a dynamic proxy to the UNALTERED DESTINATION... Then it is R.I.P. for FoxyProxy :skull:

CORS is a security protocol that only takes source and destination into account, it does NOT provision the path between the two ends of the whole...

Either your SOCKS code is just doing something wrong, or Firefox is broken w.r.t. SOCKS+CORS.

[TriMoon]

[!IMPORTANT] I just checked by disabling FoxyProxy, then setting SOCKS5 proxy in Firefox self. And unfortunately, i get same error wrt. CORS :sob: So it is FIREFOX that is broken, not FoxyProxy in this case. I will post a bug report on firefox bug tracker soon™: https://bugzilla.mozilla.org/show_bug.cgi?id=1855735

[ericjung]

I cannot reproduce this bug. Here is what I did:

1. FoxyProxy v8.0
2. SOCKS5 proxy configured with regular expression INCLUDE pattern ^[a-z]+://[\w.-]*(radiantmediatechs|daioncdn)\.\w+/
3. Set FoxyProxy to "Proxy by Patterns"
4. Visit https://ip.me and confirm that i do NOT see my proxy IP address (no pattern for it)
5. Visit http://cdn.radiantmediatechs.com/

there is a certificate error but the page loads

[ericjung]

p.s. I’m using SOCK5 proxy but not tor

[TriMoon]

@ericjung , the problem is when that address is accessed using a SOCKS5 proxy from WITHIN a script of another page, eg. as 3rd-party (using CORS)... Direct access does not make use of CORS :wink: Anyhow i edited my last reply with the bugzilla bug report, linking to this issue...

[ericjung]

@TriMoon can you give me a url to test that includes the use case you describe? I want to test it without tor. Thanks.

[TriMoon]

@ericjung , see the link in very first post :stuck_out_tongue_winking_eye:

[ericjung]

It works for me with a SOCKS5 proxy server not using tor:

[TriMoon]

Please try the "Canli yayin" link like i posted, not the fragments...

---

Besides the page you show in your screenshot looks like this on my side... With error also, because i didn't exclude that address from my CDN's proxy catcher ^[^:]+://.*(cdn|static)(\d+)?\./ that proxies all CDN's through tor.

[erosman]

re: https://www.atv.com.tr/aldatmak/39-bolum-2-fragman/izle

Opening Dev Tools while page is loading, breaks the page execution due to debugger in the code. The proxy is set to all through single a proxy.

[TriMoon]

@erosman wrt the debugger statement: i know, the coders of that site seem to be very distorted ppl :rofl: (Nothing much we can do vs that...)

[ericjung]

Please try the "Canli yayin" link like i posted, not the fragments...

Besides the page you show in your screenshot looks like this on my side... With error also, because i didn't exclude that address from my CDN's proxy catcher ^[^:]+://.*(cdn|static)(\d+)?\./ that proxies all CDN's through tor.

I went to https://www.atv.com.tr/canli-yayin It loaded. I clicked other links on the site. They all seem to work. The screenshot is from one of my subsequent clicks. But all work with SOCKS5 without tor. Perhaps instead of me testing more, you should test SOCKS5 proxy server without tor proxy.

[TriMoon]

It loaded. I clicked other links on the site. They all seem to work. The screenshot is from one of my subsequent clicks. But all work with SOCKS5 without tor. Perhaps instead of me testing more, you should test SOCKS5 proxy server without tor proxy.

1. Are you using a single proxy for all, or just for that CDN address?
2. Is your socks proxy external to your machine, eg. is the resource fetched using a different external IP as the rest of the page or not?

[ericjung]

It loaded. I clicked other links on the site. They all seem to work. The screenshot is from one of my subsequent clicks. But all work with SOCKS5 without tor. Perhaps instead of me testing more, you should test SOCKS5 proxy server without tor proxy.

1. Are you using a single proxy for all, or just for that CDN address?
2. Is your socks proxy external to your machine, eg. is the resource fetched using a different external IP as the rest of the page or not?

I used the pattern you provided and, as I recall, set to patterns mode. The resources are ditched through a socks5 proxy server hosted on another machine wit a different ip address . Can you please try the same to rule out tor?

[TriMoon]

Can you please try the same to rule out tor?

Unfortunately i don't have access to any socks5 proxies outside my machine, except for my localhost tor...

[ericjung]

Can you please try the same to rule out tor?

Unfortunately i don't have access to any socks5 proxies outside my machine, except for my localhost tor...

I’ll give you one for testing. Contact me directly by email please

[chromer030]

https://github.com/foxyproxy/browser-extension/issues/1#issuecomment-1741240101

I tested this on google-chrome, it seems that it's OK on chrome:

Proxy: Socks5, with rule:

Stream is playing :

cdn.radiantmediatechs.com and rmp.min.js not getting blocked:

[TriMoon]

@chromer030 thx for confirming it's Firefox ONLY :+1:

---

@ericjung

I’ll give you one for testing. Contact me directly by email please

Thanks for the offer I'll think about it, but im out for today. (I normally refuse direct email's, but will consider making an exception in this case :wink: )

[ericjung]

@chromer030 thx for confirming it's Firefox ONLY 👍

I have a feeling it is tor ONLY, not Firefox or Chrome related. Many CDNs block tor exit node IP addresses or redirect them or otherwise thwart them.

[TriMoon]

@ericjung

I have a feeling it is tor ONLY

I'm afraid so too, especially since the test on your side with a SOCKS5 that worked...

I send you a direct email, lets test this further :+1:

[erosman]

Out of curiosity, have you tested with all other addons disabled, in case another addon might be interfering?

[TriMoon]

@erosman

Out of curiosity, have you tested with all other addons disabled, in case another addon might be interfering?

Not really and not really want to, because it would completely disrupt my browsing.

1. I Would need to completely close all my tabs, due to websites that NEED to be protected via tor. (Otherwise some will leak in ways i DONT want)
2. I Would need to keep track of which addons i have enabled/disabled, tobe able to return to previous state. (yes i have many installed, but not all enabled at all times)

In short although it's the most logical way to start debuging an addon's mis-behaviour, im not really enthusiastic to go through all that, hope you understand and don't view it as unwilling to cooperate.

[chromer030]

In my test on Chrome (https://github.com/foxyproxy/browser-extension/issues/31#issuecomment-1741266765) some extenstions are enabled and all affect on website:

• Ublock Origin
• Dark Reader
• Spoof Timezone

[valenting]

Hi folks, I did a quick analysis of the issue in Firefox here: https://bugzilla.mozilla.org/show_bug.cgi?id=1855735#c3 So what's happening when using the tor proxy for those requests is that Cloudflare sees they're coming from Tor and requires the user to solve a challenge. In this case we're only using the tor proxy for those CDN requests, so there's no place for cloudflare to show the user a captcha, so the response is a 403 that happens to have the Cross-Origin-Resource-Policy headers set. We first process those security headers, and because they failed (the policy is same-origin, but resource was not loaded from the same domain) we show the error code instead of the 403 in devtools. The solution here is to either use the proxy for the entire website, or not at all. I don't think this is a Firefox or FoxyProxy bug at all.

[erosman]

@valenting Thank you for taking the time to check this out.

[TriMoon]

@valenting , @erosman

The solution here is to either use the proxy for the entire website, or not at all. I don't think this is a Firefox or FoxyProxy bug at all.

No that solution does NOT work see: https://github.com/foxyproxy/browser-extension/issues/31#issuecomment-1739396104, where i made firefox use the proxy for all connections...

Can you explain why it breaks when using tor for all connections then? Shouldn't proxy connections, socks or not, be transparent to the whole connection end-to-end, and thus not trigger this error in firefox?

[erosman]

Have you tried it with any other proxy besides TOR? It is possible that TOR adds/removes headers.

[ericjung]

Shouldn't proxy connections, socks or not, be transparent to the whole connection end-to-end, and thus not trigger this error in firefox?

Yes, but the IP addresses of all tor exit nodes is known and updated regularly. It is very easy for a website to block tor traffic or change its headers or other content when it detects a tor IP address as the client.

[TriMoon]

@erosman

It is possible that TOR adds/removes headers.

I'm not using the Tor-Browser, tor is just a traffic routing layer not a filter :wink:

@ericjung , yes that makes sense... But it still doesn't explain why in the test from @valenting the requests were made using different HTTP protocols HTTP/2 vs HTTP/3 :thinking:

[valenting]

That's because HTTP/3 can't be proxied through Tor.

[TriMoon]

Ahhh cause it uses UDP :woman_facepalming: