X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fsource%2Fp-config.sgml;h=5eef4d2d2706ddee36c11d9c26860d5e58027c26;hb=d269e47d4fb748b6367f03e8962b04dc4ab86ef5;hp=ba974539df0f024aa0f5ff820acf2c48fbdb9e14;hpb=3f47e92cd5ade006b4911f98d0f24e61048075e6;p=privoxy.git

diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml
index ba974539..5eef4d2d 100644
--- a/doc/source/p-config.sgml
+++ b/doc/source/p-config.sgml
@@ -3,7 +3,7 @@
 
  Purpose     :  Used with other docs and files only.
 
- Copyright (C) 2001-2018 Privoxy Developers https://www.privoxy.org/
+ Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
  See LICENSE.
 
  ========================================================================
@@ -90,7 +90,7 @@
  Sample Configuration File for Privoxy &p-version;
 </title>
 <para>
-Copyright (C) 2001-2018 Privoxy Developers https://www.privoxy.org/
+Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
 </para>
 
 <literallayout>
@@ -1983,6 +1983,11 @@ ACLs: permit-access and deny-access</title>
     Requests are accepted if the specified trusted-cgi-refer is the prefix
     of the Referer.
    </para>
+   <para>
+    If the trusted source is supposed to access the CGI pages via
+    JavaScript the <link linkend="cors-allowed-origin">cors-allowed-origin</link>
+    option can be used.
+   </para>
    <warning>
     <para>
      Declaring pages the admin doesn't control trustworthy may allow
@@ -1997,6 +2002,74 @@ ACLs: permit-access and deny-access</title>
 <![%config-file;[<literallayout>@@#trusted-cgi-referer http://www.example.org/local-privoxy-control-page</literallayout>]]>
 </sect3>
 
+
+<!--   ~~~~~       New section      ~~~~~     -->
+<sect3 renderas="sect4" id="cors-allowed-origin"><title>cors-allowed-origin</title>
+<variablelist>
+ <varlistentry>
+  <term>Specifies:</term>
+  <listitem>
+   <para>
+    A trusted website which can access &my-app;'s CGI pages through JavaScript.
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Type of value:</term>
+  <listitem>
+   <para>URL</para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Default value:</term>
+  <listitem>
+   <para>Unset</para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Effect if unset:</term>
+  <listitem>
+   <para>
+    No external sites get access via cross-origin resource sharing.
+   </para>
+  </listitem>
+ </varlistentry>
+ <varlistentry>
+  <term>Notes:</term>
+  <listitem>
+   <para>
+    Modern browsers by default prevent cross-origin requests made
+    via JavaScript to &my-app;'s CGI interface even if &my-app;
+    would trust the referer because it's white listed via the
+    <link linkend="trusted-cgi-referer">trusted-cgi-referer</link>
+    directive.
+   </para>
+   <para>
+    <ulink url="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing"
+     >Cross-origin resource sharing (CORS)</ulink> is a mechanism to allow
+    cross-origin requests.
+   </para>
+   <para>
+    The <quote>cors-allowed-origin</quote> option can be used to specify
+    a domain that is allowed to make requests to Privoxy CGI interface
+    via JavaScript. It is used in combination with the
+    <link linkend="trusted-cgi-referer">trusted-cgi-referer</link>
+    directive.
+   </para>
+   <warning>
+    <para>
+     Declaring domains the admin doesn't control trustworthy may allow
+     malicious third parties to modify Privoxy's internal state against
+     the user's wishes and without the user's knowledge.
+   </para>
+   </warning>
+  </listitem>
+ </varlistentry>
+</variablelist>
+
+<![%config-file;[<literallayout>@@#cors-allowed-origin http://www.example.org/</literallayout>]]>
+</sect3>
+
 </sect2>
 
 <!--  ~  End section  ~  -->