Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Access-Control-Allow-Origin: * to public XPI files #5875

Closed
Rob--W opened this issue Aug 9, 2018 · 16 comments · Fixed by mozilla/addons-server#13765
Closed

Add Access-Control-Allow-Origin: * to public XPI files #5875

Rob--W opened this issue Aug 9, 2018 · 16 comments · Fixed by mozilla/addons-server#13765
Assignees
@diox
Labels
neverstale Use this to tell stalebot to not touch this issue. Should be used infrequently. repository:addons-server Issue relating to addons-server state:verified_fixed
Milestone
2020.03.26

Comments

@Rob--W
Copy link
Member

Rob--W commented Aug 9, 2018
edited by diox
Loading

Describe the problem and steps to reproduce it:

Public XPI files are available at addons.mozilla.org and served (via a redirect) from addons.cdn.mozilla.net. Neither of these endpoints include CORS headers in the response.

For example, send a HEAD request as follows:

$ curl -H 'Origin: example.com' -I https://addons.mozilla.org/firefox/downloads/latest/crxviewer/crxviewer.xpi
$ curl -H 'Origin: example.com' -I 'https://addons.cdn.mozilla.net/user-media/addons/717783/extension_source_viewer-1.6.5-an+fx.xpi'

What happened?

Neither response includes the Access-Control-Allow-Origin: * header.

$ curl -H 'Origin: example.com' -I https://addons.mozilla.org/firefox/downloads/latest/crxviewer/crxviewer.xpi
HTTP/1.1 302 Found
Content-Length: 0
...
Location: https://addons.cdn.mozilla.net/user-media/addons/717783/extension_source_viewer-1.6.5-an+fx.xpi?filehash=sha256%3Abf016976118fcbb0fd299ebdfed530bbc18ecf02e8a9ee296dec6d1ad3fdeb03
...

$ curl -H 'Origin: example.com' -I 'https://addons.cdn.mozilla.net/user-media/addons/717783/extension_source_viewer-1.6.5-an+fx.xpi'
HTTP/1.1 200 OK
Content-Type: application/x-xpinstall
Content-Length: 210657
...

What did you expect to happen?

Both responses should include the Access-Control-Allow-Origin: * header, at least for publicly listed add-ons.

Anything else we should know?

I have an add-on to view the source code of extensions: https://github.com/Rob--W/crxviewer
Firefox has started to prevent extensions from sending requests to AMO unless CORS is enabled: https://bugzilla.mozilla.org/show_bug.cgi?id=1450649

To avoid the need for an intermediate proxy, the XPI files have to be served with the Access-Control-Allow-Origin: * header.

(This is distinct from #5649, which request CORS responses for authenticated API endpoints. I want CORS for XPI files without authentication).

(edit by @diox: add -H Origin: example.com to requests in STR)
@diox
Copy link
Member

diox commented Aug 9, 2018

Note: like with #5649 it's likely this would need to be done on the ops side

@wagnerand
Copy link
Member

Paging @bqbn, @autrilla.

@stale

This comment has been minimized.

Sign in to view
@stale stale bot added the state:stale Issues marked as stale. These can be re-opened should there be plans to fix them. label Sep 6, 2019
@Rob--W

This comment has been minimized.

Sign in to view
@stale stale bot removed the state:stale Issues marked as stale. These can be re-opened should there be plans to fix them. label Sep 6, 2019
@stale

This comment has been minimized.

Sign in to view
@stale stale bot added the state:stale Issues marked as stale. These can be re-opened should there be plans to fix them. label Mar 4, 2020
@Rob--W

This comment has been minimized.

Sign in to view
@stale stale bot removed the state:stale Issues marked as stale. These can be re-opened should there be plans to fix them. label Mar 4, 2020
@diox diox added the neverstale Use this to tell stalebot to not touch this issue. Should be used infrequently. label Mar 4, 2020
@diox
Copy link
Member

diox commented Mar 4, 2020

Since it's an op issue, Rob, do you mind filing a bugzilla bug in
Cloud Services / Operations: AMO ? Cc me on that and I'll get it moving.

@Rob--W
Copy link
Member Author

Rob--W commented Mar 4, 2020

Done: https://bugzilla.mozilla.org/show_bug.cgi?id=1620084

@Rob--W
Copy link
Member Author

Rob--W commented Mar 5, 2020

:wezhou asked whether we should add the header to both AMO and the CDN in the bug. I'd say yes to the CDN, but no for AMO. Adding the header in AMO itself seems to be quite straightforward:

Public addons are available on the CDN:

https://github.com/mozilla/addons-server/blob/b0f6f466cd63d3957152ecc6177e36fbe8af99f1/src/olympia/versions/views.py#L88-L91

When both of the above conditions are true (i.e. the xpi is fully public), then this issue would be fixed by adding the Access-Control-Allow-Origin: * header here:

https://github.com/mozilla/addons-server/blob/b0f6f466cd63d3957152ecc6177e36fbe8af99f1/src/olympia/versions/views.py#L107-L109

@diox diox self-assigned this Mar 5, 2020
@diox
Copy link
Member

diox commented Mar 5, 2020

Yeah I'll deal with the AMO side in code.

@bqbn
Copy link
Contributor

bqbn commented Mar 5, 2020

The CDN should be using whatever header the app returns, which is to say if the app returns that header for addons that satisfy https://github.com/mozilla/addons-server/blob/b0f6f466cd63d3957152ecc6177e36fbe8af99f1/src/olympia/versions/views.py#L88-L91
then the CDN should do too.

We can verify if that's the case once the fix lands for the app.

@diox
Copy link
Member

diox commented Mar 5, 2020
edited
Loading

We redirect to the CDN (or sometimes directly link to it), and it's serving from nginx, bypassing the app completely.

Example with ublock origin:

@diox diox modified the milestones: 2020.03.19, 2020.03.26 Mar 12, 2020
@diox diox mentioned this issue Mar 18, 2020
Merged
@Rob--W
Copy link
Member Author

Rob--W commented Mar 18, 2020

Thanks for fixing this @diox! When https://bugzilla.mozilla.org/show_bug.cgi?id=1620084 is fixed and AMO is updated, I can update my crxviewer so that the online version becomes equally fast as the extension version, at least for Firefox addons :)

@diox
Copy link
Member

diox commented Mar 18, 2020

Sorry it took so long for something so trivial :) It dropped from my radar and I just caught it because of the stale notification...

@AlexandraMoga
Copy link

@diox
I can see Access-Control-Allow-Origin: * in the response header for the following request:

curl -H 'Origin: example.com' -I https://addons-dev.allizom.org/firefox/downloads/latest/bookmarks-organizer/bookmarks_organizer-3.0.1-fx.xpi

but I'm not seeing it for this request:

curl -H 'Origin: example.com' -I https://addons-dev-cdn.allizom.org/user-media/addons/502867/bookmarks_organizer-3.0.1-fx.xpi

@diox
Copy link
Member

diox commented Mar 23, 2020

@AlexandraMoga that second request will be covered by https://bugzilla.mozilla.org/show_bug.cgi?id=1620084 (it requires ops involvement)

@Rob--W Rob--W mentioned this issue May 17, 2020
Open
@KevinMind KevinMind transferred this issue from mozilla/addons-server May 4, 2024
@KevinMind KevinMind added repository:addons-server Issue relating to addons-server migration:2024 labels May 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@diox diox

Labels
neverstale Use this to tell stalebot to not touch this issue. Should be used infrequently. repository:addons-server Issue relating to addons-server state:verified_fixed
Projects
None yet
Milestone
2020.03.26
Development

Successfully merging a pull request may close this issue.

Add Access-Control-Allow-Origin: * to download views diox/olympia
6 participants
@diox @wagnerand @Rob--W @bqbn @KevinMind @AlexandraMoga