Closed Bug 530051 Opened 15 years ago Closed 15 years ago

Allow cross-site requests to BzAPI

Categories

(Webtools Graveyard :: BzAPI, defect)

Product:
Webtools Graveyard
Component:
BzAPI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gerv, Assigned: gerv)

References

(
URL
)

Details

E.g. OPTIONS.

This is because we set it manually on the responses we handle, and the framework handles OPTIONS for us. So I need to figure out how to hook in deeper to add it to all responses.

Gerv
Fixed in changeset c1b7a7233b55. Although there were more problems too, specifically with JSON and the framework and empty response bodies. So I worked around those too.

Look for this fix in 0.3.

Gerv
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Do you have an ETA on 0.3? I wonder if it's worth spending my time hacking on a workaround or not.
I'll have something for you (if not for the rest of the world :-) by the end of tomorrow. Is that quick enough? Which servers are you working against - b.m.o. stage or both?

Gerv
End of tomorrow is good enough, and I'm working against bmo.
Sorry, reopening. I still can't talk through, and I'm taking guesses as to why:

In our code [1], I see checks for "Access-Control-Allow-Methods" in preflight requests (aka the OPTIONS one) for GET or POST matching the actual request, but the header I get from the API only lists "Allow", https://developer.mozilla.org/En/HTTP_Access_Control#Access-Control-Allow-Methods has more on that header. Not sure if you need to expose the headers, too.

I've uploaded my page at http://people.mozilla.com/~axel/Localization%20bugs.html for testing.

[1] http://mxr.mozilla.org/mozilla1.9.2/source/content/base/src/nsCrossSiteListenerProxy.cpp#280
URL: http://people.mozilla.com/~axel/Local...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Looks like I need to go and read the spec properly instead of guessing, then :-)

I'll make this P1 tomorrow morning, and issue an update to 0.3.

Gerv
Summary: BzAPI doesn't set Access-Control-Allow-Origin: * on all responses → Allow cross-site requests to BzAPI
OK, so here's the problem. Normally the GET request your code makes would be considered a "simple" request and not require OPTIONS pre-flighting. However, JQuery adds a custom "X-Requested-With" header to the request, which makes it not "simple" any more. So its gets preflighted. Commenting out the line in jquery.js (3409) which adds this header makes the request get sent directly.
http://dev.jquery.com/ticket/4858

Incidentally, the query you are trying to do (all bugs in "Mozilla Localizations") returns 4668 bugs and takes 48 seconds to run when run on Bugzilla directly. So don't expect the API to be any quicker than that, because at the moment the implementation just asks for the bugs and counts the returned rows.

This, of course, doesn't change the fact that complex queries, i.e. ones which require preflighting, _are_ broken. As you say, the spec also requires the Access-Control-Allow-Methods header. I will issue an update to 0.3 supplying this header, and that will resolve this bug. I'll also allow that custom header so unmodified JQuery works.

Gerv
Oh, and the code at the URL you gave in comment 5 now works :-)

Gerv
Fixed in changeset ab869aea33bc.

Gerv
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.