Fix HTTP Access-Control-Allow-Origin header

[psiinon]

If HTTP sites (is not HTTPS ones) use the Access-Control-Allow-Origin header then the site will typically not work. ZAP should automatically fix this header. https://stackoverflow.com/questions/61940616/how-do-i-work-with-http-sites-using-the-hud-in-owasps-zap-proxy

[jveldhuijzen]

I'm willing to pick this up. My plan was to update the Access-Control-Allow-Origin header in onHttpResponseReceive as described in the stackoverflow post. I'm new to the gradle/java world and do not know how I can best debug this app? Any advice?

[njmulsqb]

Hi @psiinon , what's the status on this issue?

[thc202]

Does not seem to be actively worked on.

[njmulsqb]

Does not seem to be actively worked on.

I can see that @jveldhuijzen has pushed a commit, have you reviewed that?

[thc202]

That's not a pull request (in any case that's not finished, e.g. setting other header).

[psiinon]

For info ZAP already optionally strips out CSP. The relevant code for this:

• https://github.com/zaproxy/zap-hud/blob/a6e0af1cc4e88a574c01ffa75736170bf27990fc/src/main/java/org/zaproxy/zap/extension/hud/HudParam.java#L95
• https://github.com/zaproxy/zap-hud/blob/6b2ab0b494951cf7bbd0f05db79e3c72715cb491/src/main/java/org/zaproxy/zap/extension/hud/OptionsHudPanel.java#L58
• https://github.com/zaproxy/zap-hud/blob/6b2ab0b494951cf7bbd0f05db79e3c72715cb491/src/main/java/org/zaproxy/zap/extension/hud/ExtensionHUD.java#L440

To fix this issue we'll need to do something similar.

[njmulsqb]

Is this message in HUD tutorial also explaining the current problem?