Firefox, Cross-Origin and AliExpress | Ming Di Leom's Blog


AliExpress login doesn't show up on Firefox when there is a strict cross-origin policy



Onion Details



Page Clicks: 1

First Seen: 04/26/2024

Last Indexed: 10/23/2024

Domain Index Total: 151



Onion Content



AliExpress login doesn't show up on Firefox when there is a strict cross-origin policy. Background My Orders Reset referer policy “Ignore X-Frame-Options” extension Direct link AliExpress login doesn’t show up on Firefox when there is a strict cross-origin policy (i.e. network.http.referer.XOriginPolicy ). Here’s how to whitelist it. Background § Click here to go straight to the workarounds. Firefox can restrict the referrer to the same origin only ( docs ), by setting network.http.referer.XOriginPolicy value to 2 in about:config . Initially, I figured this would break many websites. But to my surprise, I have yet to encounter any issue; well, except for AliExpress. When you try to login to AliExpress, the login box is just blank. In the new design, the loading wheel just keeps spinning. Upon inspection on the blank element (right click on the blank login and select Inspect Element ), the login box is an iframe of https://passport.aliexpress.com . From the Web Console ( Ctrl + Shift + K ), the following error message suggested it’s caused by X-Frame-Options . From the Network inspection ( Ctrl + Shift + E ), https://passport.aliexpress.com has HTTP header x-frame-options: SAMEORIGIN (which I believe stems from the XOriginPolicy setting). This restricts the iframe to the same domain. This caused the iframe unable to load because it’s different from the login page https://login.aliexpress.com . Edit: After pinpoint the issue to XOriginPolicy , I suspect AliExpress sends the referrer from login to passport for tracking purpose, and somehow passport could not be loaded if it does not receive any referrer. There are a few options to resolve this. My Orders § Edit: This step alone doesn’t work anymore, requires resetting referer policy. See next section . To use the old login page, mouse-over on the Account link at the top right corner and click on My Orders . It should redirects to https://login.aliexpress.com/... Reset referer policy § Go to about:config . Search for “referer”, then adjust the following option, network.http.referer.defaultPolicy;1 (must be '1' or above) network.http.referer.sendRefererHeader;2 Mouse-over on the Account link at the top right corner and click on My Orders . It should redirects to https://login.aliexpress.com/... “Ignore X-Frame-Options” extension § Ignore X-Frame-Options Firefox extension is a way to whitelist the domain from the restriction. By default, the extension whitelist all domains. This is highly discouraged because it nullifies the security benefits of x-frame-options (e.g. prevent a banking website from being iframe-d inside a phishing website). Instead, we can whitelist the login page only. https://passport.aliexpress.com/* That’s how the whitelist works on the extension; you add the domain of the iframe not the page’s domain. After you add it to the list, refresh the page and you should see the login. Direct link § If none of the above work, the last resort is to use the direct link https://login.aliexpress.com/express/mulSiteLogin.htm