Fix HTTP Access-Control-Allow-Origin header

[psiinon]

If HTTP sites (is not HTTPS ones) use the Access-Control-Allow-Origin header then the site will typically not work.
ZAP should automatically fix this header.
https://stackoverflow.com/questions/61940616/how-do-i-work-with-http-sites-using-the-hud-in-owasps-zap-proxy

[jveldhuijzen]

I'm willing to pick this up.
My plan was to update the Access-Control-Allow-Origin header in onHttpResponseReceive as described in the stackoverflow post.
I'm new to the gradle/java world and do not know how I can best debug this app? Any advice?

[njmulsqb]

Hi @psiinon , what's the status on this issue?

[thc202]

Does not seem to be actively worked on.

[njmulsqb]

Does not seem to be actively worked on.

I can see that @jveldhuijzen has pushed a commit, have you reviewed that?

[thc202]

That's not a pull request (in any case that's not finished, e.g. setting other header).

[psiinon]

For info ZAP already optionally strips out CSP.
The relevant code for this:

• zap-hud/src/main/java/org/zaproxy/zap/extension/hud/HudParam.java

  Line 95 in a6e0af1

  private boolean removeCSP;

• zap-hud/src/main/java/org/zaproxy/zap/extension/hud/OptionsHudPanel.java

  Line 58 in 6b2ab0b

  private JCheckBox removeCsp = null;

• zap-hud/src/main/java/org/zaproxy/zap/extension/hud/ExtensionHUD.java

  Line 440 in 6b2ab0b

  if (this.getHudParam().isRemoveCSP()) {

To fix this issue we'll need to do something similar.

[njmulsqb]

Is this message in HUD tutorial also explaining the current problem?