-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error: CORS request did not succeed #306
Comments
Seems #284 pull request is being relevant to this issue. Also, using this extension on Firefox I was able to bypass CORS limitations and successfully get correct answer from the server using the function typed above. Without the extension, CORS configuration fails at the same error as well. So the current workaround (client-side) would be to bypass the CORS configuration the same way the extension does. As VSCode and VSCodium are Electron-based, even the same extension could be injected into VSCodium as a proof of concept (or even analyze the extension and develop similar method of bypassing CORS, as following extension has it's code non-minified and well commented published on GitHub). EDIT: I've read VSCodium issues and actually forgot about Chromium flags, so it is much simplier just to use flag with |
@SpacingBat3 thanks for the feedback For the It's a server's configuration issue and from the client standpoint, the main components haven't much changed from
|
Queries on |
I'm unable to check for extension upgrades in version Here's the error message in the developer tools: The error message makes me think some important header is missing in the response from open-vsx.org, which is why I came here instead of the archlinux bugtracker. |
@jotoho I've checked |
Is it possible to retry this now? |
Still the same. With both |
Checking for updates still fails for me with the same error message |
@daiyam Maybe some change to a dependency of |
@jotoho I don't think so since the code/example is working with the url VSCode is using the built-in |
@daiyam I don't really understand your tests in the opening post, since I am unfamiliar with the technologies but when I was talking about my suspicion regarding headers I meant the headers sent by the server with the http response and not the headers the client sets. Would it not be possible that Or am I missing something huge? Like I said, I'm no expert on these apis. |
If I run the code on Firefox, I get: Content Security Policy: The page’s settings blocked the loading of a resource at https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery (“default-src”). debugger eval code:15:4 |
I've tested buth URLs with curl, as I am not a developer.
If my request does not specify an Origin: header, both sites (https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery and https://open-vsx.org/vscode/gallery/extensionquery) do not return a access-control-allow-origin header. If my request DOES specify an Origin header, both sites return a access-control-allow-origin header. From where I sit, I'm not sure what the expected output is. |
@eclipsewebmaster I run it in the console |
Even without the
I will check again if I haven't missed something... |
@eclipsewebmaster, try to open DevTools on blank page instead opening it on the random ones – most sites has CSP header specified and blocks request from sites outside of it. On Firefox, that would be |
I know only basics about CORS... but I was able to see (in Firefox) that before the actual POST request, there is an OPTIONS request. A quick google, I got this: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
For
There is For
No It's matching the error we are getting. |
@eclipsewebmaster seems that |
@daiyam I just want to say |
Also @daiyam shouldn't this issue be reopened at EclipseFdn/open-vsx.org? I think this is an issue due to server configuration and issues in OpenVSX repository should about the OpenVSX in general, affecting both open-vsx.org and other marketplaces based on OpenVSX (which could have different server configuration that properly sets CORS). This is what
|
I've added the header to the OPTIONS response. Try now? |
@eclipsewebmaster Checking for updates still fails for me but the error message is different: |
That could be an issue with the actual server component, as we don't mangle with Access-control-Allow-Headers at the accelerator/cache level. |
I'm getting the following error in Firefox:
As mentioned by @SpacingBat3, |
Seems like something have been changed from client side to validate the CORS policy. I will check that. If I have time, I will check how to configure CORS with Spring. It's been years that I haven't any Java dev and much more with Spring... |
LOL. Starting the project on Gitpod, I get the same error...
|
@eclipsewebmaster The
When
When removed, I get:
So the server component seems fine. Not sure what's going on... |
Still an issue
|
Since |
Please do something about this issue. It has effectively rendered the marketplace in open-source builds of VSCode unusable. If the whole "open marketplace" experiment does not work out, users will have no choice but to go back to proprietary builds of VSCode. |
Some unforeseen circumstances have delayed us from fixing this, but please be aware that it is the number 1 priority for us with Open VSX now and will proceed from there. |
@brianking Thank you |
Proposal (please thumbs up if it looks valid)We could implement a cors proxy inside the extension and change the url to use that this will bypass cors only for this extension. |
@frank-dspeed Today, I was also thinking about a cors proxy until I found out a mistake in my testings. When fixed, my patch was working... So |
@daiyam sure but then still the problem exists inside web theia deployments for example so you also think that cors is a valid solution ? |
@frank-dspeed Yes, the CORS requests need to be correctly handled. |
We've made a temporary change via EclipseFdn/open-vsx.org#633 -- does that help? |
@eclipsewebmaster are the changes live? I am still getting cors issues: |
@eclipsewebmaster here's a Bash command that inspects headers for the public instance of Open VSX: curl \
--dump-header - \
--header 'Content-Type: application/json' \
--header 'Origin: https://some-domain.com' \
--data '{"extensionId":"patate"}' \
--request POST 'https://open-vsx.org/api/-/query' \
--stderr /dev/null | \
grep -i 'Access-Control-Allow-Origin' As long as edit: Hopefully this helped you enough despite being wrong... |
Thank you, that is helpful. |
@paul-marechal Are you sure? If I post a valid extension, I (now) get the valid header: $ curl --dump-header - --header 'Content-Type: application/json' --data '{"extensionId":"redhat.vscode-xml"}' --request POST 'https://open-vsx.org/api/-/query' If I search for an invalid extension, I don't get the header(s) added by the proxy: |
@spoenemann it appears the server itself is not returning the header when no origin is specified. From the nginx reverse-proxy: curl --insecure --dump-header - --header "Host: open-vsx.org" --header 'Content-Type: application/json' --data '{"extensionId":"redhat.vscode-xml"}' --request POST 'https://okdnode-1/api/-/query' If I specify an Origin, I get the header: Those responses are untouched by the proxy, direct from the open-vsx server |
I've got the header to apear even for 400 responses: $ curl --dump-header - --header 'Content-Type: application/json' --data '{"extensionId":"patate"}' --request POST 'https://open-vsx.org/api/-/query' Please confirm if this helps. |
Everything looks to be working in my vscode install. :) |
Thanks. To reiterate, @spoenemann it appears the server itself is not returning the access-control-allow-origin: * header when no Origin is specified (please see earlier comments). |
@eclipsewebmaster yes, that's normal. |
@eclipsewebmaster I expected the server to respond with Testing now from different origins seems to work fine: the According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives the edit: Testing now I see that without an |
@Jsmond2016 It looks like you are accessing the official Visual Studio Marketplace. Which client are you using? VSCodium? |
|
@eclipsewebmaster this is the default behavior implemented by Spring, and in my understanding it's the correct behavior. It's the responsibility of the web browser to include an Origin header and check the response headers when a request is sent to a different domain via JS API. |
Seems to work now, see EclipseFdn/open-vsx.org#633 |
Hi,
VSCodium-1.58.0
is getting an error message when loading the list of extensions from open-vsx.org.After debugging, I've reduced the code used to its minimal form so we can test it in the browser(Firefox is consistent unlike Chrome):
I'm getting:
If you change the url to
https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery
, there is no more errors.The text was updated successfully, but these errors were encountered: