X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fsource%2Fp-config.sgml;h=5eef4d2d2706ddee36c11d9c26860d5e58027c26;hb=d269e47d4fb748b6367f03e8962b04dc4ab86ef5;hp=ba974539df0f024aa0f5ff820acf2c48fbdb9e14;hpb=3f47e92cd5ade006b4911f98d0f24e61048075e6;p=privoxy.git
diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml
index ba974539..5eef4d2d 100644
--- a/doc/source/p-config.sgml
+++ b/doc/source/p-config.sgml
@@ -3,7 +3,7 @@
Purpose : Used with other docs and files only.
- Copyright (C) 2001-2018 Privoxy Developers https://www.privoxy.org/
+ Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
See LICENSE.
========================================================================
@@ -90,7 +90,7 @@
Sample Configuration File for Privoxy &p-version;
-Copyright (C) 2001-2018 Privoxy Developers https://www.privoxy.org/
+Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
@@ -1983,6 +1983,11 @@ ACLs: permit-access and deny-access
Requests are accepted if the specified trusted-cgi-refer is the prefix
of the Referer.
+
+ If the trusted source is supposed to access the CGI pages via
+ JavaScript the cors-allowed-origin
+ option can be used.
+
Declaring pages the admin doesn't control trustworthy may allow
@@ -1997,6 +2002,74 @@ ACLs: permit-access and deny-access
@@#trusted-cgi-referer http://www.example.org/local-privoxy-control-page]]>
+
+
+cors-allowed-origin
+
+
+ Specifies:
+
+
+ A trusted website which can access &my-app;'s CGI pages through JavaScript.
+
+
+
+
+ Type of value:
+
+ URL
+
+
+
+ Default value:
+
+ Unset
+
+
+
+ Effect if unset:
+
+
+ No external sites get access via cross-origin resource sharing.
+
+
+
+
+ Notes:
+
+
+ Modern browsers by default prevent cross-origin requests made
+ via JavaScript to &my-app;'s CGI interface even if &my-app;
+ would trust the referer because it's white listed via the
+ trusted-cgi-referer
+ directive.
+
+
+ Cross-origin resource sharing (CORS) is a mechanism to allow
+ cross-origin requests.
+
+
+ The cors-allowed-origin option can be used to specify
+ a domain that is allowed to make requests to Privoxy CGI interface
+ via JavaScript. It is used in combination with the
+ trusted-cgi-referer
+ directive.
+
+
+
+ Declaring domains the admin doesn't control trustworthy may allow
+ malicious third parties to modify Privoxy's internal state against
+ the user's wishes and without the user's knowledge.
+
+
+
+
+
+
+@@#cors-allowed-origin http://www.example.org/]]>
+
+