Closed Bug 1098291 Opened 8 years ago Closed 8 years ago

OPTION response for CORS requests to REST doesn't allow X-Requested-With

Categories

(Bugzilla :: WebService, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 5.0

People

(Reporter: Pike, Assigned: dkl)

References

Details

Attachments

(1 file)

I'm trying to convert one of my older dashboards to https://bugzilla.mozilla.org/bzapi/, and it's stuck on the response to the preflight OPTION request for a CORS request.

One difference I see is that the old server responds with a non-zero length plain text response (Content-Type text/html is not supported.), whereas the new server responds with a 0 length html response. No idea if that has anything to do with it.

The reason my old dashboard trigger preflight is that they're sending an 

X-Requested-With: XMLHttpRequest

header.
I don't suppose you could give some curl comparisons between the two endpoints?
Firefox's devtools netmonitor tool has a "Copy as cURL" command on the context menu.
Obviously remove anything sensitive like passwords or cookie tokens.
kochbuch:tmp ahecht$ curl 'https://api-dev.bugzilla.mozilla.org/1.3/bug?blocks=585992&resolution=---&include_fields=id%2Cproduct%2Ccomponent%2Csummary' -X OPTIONS -H 'Host: api-dev.bugzilla.mozilla.org' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: de,en-US;q=0.7,en;q=0.3' -H 'Accept-Encoding: gzip, deflate' -H 'Origin: http://pike.github.io' -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: x-requested-with' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -D api-dev
Content-Type text/html is not supported.

kochbuch:tmp ahecht$ curl 'https://bugzilla.mozilla.org/bzapi/bug?blocks=585992&resolution=---&include_fields=id%2Cproduct%2Ccomponent%2Csummary' -X OPTIONS -H 'Host: bugzilla.mozilla.org' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: de,en-US;q=0.7,en;q=0.3' -H 'Accept-Encoding: gzip, deflate' -H 'Origin: null' -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: x-requested-with' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -D bmo
mO?N?0|?+j??r??G????JN??H??z??5???????>Mvfvfó?!)^?4xT$??	???^?)?-?v?g?=o?D?[??{??6?]0
            ???=L>(??`V4v?i?#a#x5
                                 Q?????J? ?g?E???j?)?HӋ?hN36?<y?Q??9?dk? o+?WP+]r?^??^???z?zW??腊??Q	???؉???@?.??v?߾a???T??E???0?Y??V=???*o?j

kochbuch:tmp ahecht$ cat api-dev bmo 
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2014 14:32:41 GMT
Server: Apache
Allow: GET
Allow: POST
Content-Length: 42
Access-Control-Allow-Headers: x-requested-with
Access-Control-Allow-Methods: GET
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: *
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain

HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: web4.bugs.scl3.mozilla.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Strict-transport-security: max-age=31536000; includeSubDomains
Date: Thu, 13 Nov 2014 14:33:51 GMT
Keep-Alive: timeout=5, max=1000
X-xss-protection: 1; mode=block
Transfer-Encoding: chunked
Access-control-allow-origin: *
X-content-type-options: nosniff
Etag: dtyhIICSJRYsgIErjZVgBw
Connection: Keep-Alive
X-frame-options: SAMEORIGIN
Allow: GET, POST
Access-control-allow-headers: origin, content-type, accept
Access-control-allow-methods: GET, POST



.... Seems that 
Access-Control-Allow-Headers: x-requested-with
is not on bmo.
Blocks: 1098342
Flags: needinfo?(dkl)
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Flags: needinfo?(dkl)
Attached patch 1098291_1.patchSplinter Review
Attachment #8539527 - Flags: review?(glob)
this looks like an upstream issue; moving.
Component: Extensions: BzAPI Compatibility → WebService
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Summary: OPTION response for CORS requests to https://bugzilla.mozilla.org/bzapi/ doesn't pass → OPTION response for CORS requests to REST doesn't allow X-Requested-With
Target Milestone: --- → Bugzilla 5.0
Version: Production → unspecified
Comment on attachment 8539527 [details] [diff] [review]
1098291_1.patch

Review of attachment 8539527 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #8539527 - Flags: review?(glob) → review+
Flags: approval5.0+
Flags: approval+
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   be26c11..b290e22  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   1d1bb36..21cfe12  5.0 -> 5.0
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.