Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CORS issues in FireFox #2138

Merged
merged 3 commits into from
Oct 2, 2017
Merged

Fix CORS issues in FireFox #2138

merged 3 commits into from
Oct 2, 2017

Conversation

sunify
Copy link
Contributor

@sunify sunify commented Sep 21, 2017

Fixes #1779

Looks like Firefox requires adding all HTTP addresses to manifest.json, so I added addresses for rinkeby, kovan, ropsten and mainnet.

Verified on:
https://dapp.acebusters.com
http://registrar.ens.domains/

@sunify sunify mentioned this pull request Sep 21, 2017
Closed
@kumavis
Copy link
Member

kumavis commented Sep 21, 2017

This isnt really a CORS issue is it? CORS headers are (afaik) correctly set in infura responses.
Does firefox not allow any requests from extensions to domains not allowed? can we find a reference on MDN for this?

@Zanibas will need to add the conversion rate api as well

i wonder if you can do second level wildcard: *.infura.io

@kumavis kumavis added P2-sooner area-provider Relating to the provider module. and removed P2-sooner labels Sep 21, 2017
@sunify
Copy link
Contributor Author

sunify commented Sep 21, 2017

See Host permissions https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/permissions

You are right about wildcard, will update asap.

Also, will add https://api.cryptonator.com (there are no issues with conversion, just for consistency).

@kumavis
Copy link
Member

kumavis commented Sep 22, 2017 

Host permission

The extra privileges include:

XMLHttpRequest and fetch access to those origins without cross-origin restrictions (even for requests made from content scripts)
the ability to inject scripts programmatically (using tabs.executeScript) into pages served from those origins
the ability to receive events from the webRequest API for these hosts
the ability to access cookies for that host using the cookies API, as long as the "cookies" API permission is also included.
bypass tracking protection if the host is a full domain without wildcards. Doesn't work with <all_urls>.

so for:

XMLHttpRequest and fetch access to those origins without cross-origin restrictions (even for requests made from content scripts)

However CORS headers should be set correctly by infura
Perhaps its the x-metamask-origin custom header.
We encountered this issue with mascara.

@kumavis
Copy link
Member

kumavis commented Sep 22, 2017

reaching out to infura team...

@kumavis
Copy link
Member

kumavis commented Sep 26, 2017

@tmashuang did you verify its working correctly after infura's changes?

@tmashuang
Copy link
Contributor

tmashuang commented Sep 26, 2017
edited
Loading

The main issue on Firefox that this solves is viewing tokens. Even after the Infura headers view tokens is still not visible in Firefox. I am in favour of these additions for Firefox.

@interfect interfect mentioned this pull request Oct 2, 2017
Closed
@sunify
Copy link
Contributor Author

sunify commented Oct 2, 2017

@tmashuang @kumavis any updates?

This was referenced Oct 2, 2017
Merged
Closed
@kumavis kumavis mentioned this pull request Oct 2, 2017
Closed
tmashuang
tmashuang approved these changes Oct 2, 2017
View reviewed changes
Copy link
Contributor

@tmashuang tmashuang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes Firefox failing fetch resource #1779

@tmashuang tmashuang merged commit 1769f88 into MetaMask:master Oct 2, 2017
@sunify sunify deleted the fix-firefox-cors branch October 2, 2017 21:42
@tmashuang tmashuang mentioned this pull request Oct 9, 2017
Closed
@reyronald reyronald mentioned this pull request Apr 10, 2018
Merged
2 tasks
@bdresser bdresser mentioned this pull request Jul 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmashuang tmashuang tmashuang approved these changes

Assignees
No one assigned
Labels
area-provider Relating to the provider module.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sunify @kumavis @tmashuang @2-am-zzz