Closed
Bug 1104371
Opened 11 years ago
Closed 10 years ago
Adjust CORS in Marketplace API for fxpay library
Categories
(Marketplace Graveyard :: Payments/Refunds, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
2015-02-17
People
(Reporter: kumar, Assigned: kumar)
References
Details
The fxpay never used CORS correctly. It specified {mozSystem: true} which meant it was immune to CORS problems. The API in zamboni needs a few minor tweaks to enable CORS and so we can remove {mozSystem: true}. I think it just needs to allow the x-fxpay-version request header.
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → kumar.mcmillan
|
||
Updated•11 years ago
|
Priority: -- → P3
|
|
Assignee | |
Comment 1•11 years ago
|
||
proposed patch https://github.com/mozilla/zamboni/pull/2751
|
|
Assignee | |
Comment 2•11 years ago
|
||
Zamboni API changes have landed ^
Next, fxpay needs a few minor adjustments
|
|
Assignee | |
Comment 3•11 years ago
|
||
Caught a few more zamboni issues: https://github.com/mozilla/zamboni/pull/2754
|
|
||
Updated•11 years ago
|
Target Milestone: --- → 2014-12-30
|
|
Assignee | |
Comment 4•11 years ago
|
||
This isn't actually a blocker for desktop payments because by default cross origin requests are allowed. If an app implements CSP (which we should encourage) then we'll need to fix these CORS issues.
This bug will make desktop apps *more secure* but is not necessary for basic functionality.
I got really bogged down on this so I need to set it aside. Here are my WiP patches:
https://github.com/kumar303/fxpay/compare/pkg-cors
https://github.com/kumar303/zamboni/compare/dev-cors
|
|
Assignee | |
Comment 5•11 years ago
|
||
Fixed debhub receipts: https://github.com/mozilla/zamboni/pull/2786
|
|
Assignee | |
Comment 6•11 years ago
|
||
(In reply to Kumar McMillan [:kumar] (needinfo for quickness) from comment #4)
> This isn't actually a blocker for desktop payments because by default cross
> origin requests are allowed.
Feel free to tell me I'm completely wrong anywhere here :-) I've been confused by some CORS behavior but so far it doesn't seem to be a blocker on desktop.
|
|
Assignee | |
Comment 7•11 years ago
|
||
this doesn't seem to be blocking desktop payments. We should still fix it though.
Target Milestone: 2014-12-30 → ---
|
|
Assignee | |
Comment 8•10 years ago
|
||
Niiiice. I just removed mozSystem:true from fxpay and CORS seems to be working in all our APIs. I used a packaged app and tested the following:
* I purchased a simulated item on Dev, restarted, and made sure the receipt validated.
* I purchased a real item on Dev, restarted, and checked receipt validation
fxpay changes: https://github.com/mozilla/fxpay/pull/71
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2015-02-17
|
|
Assignee | |
Comment 9•10 years ago
|
||
For QA, it would be helpful if you could regression test in-app products in case I missed something. The general STR are:
- install a packaged app that uses fxpay for in-app products
- make a purchase
- restart the app so that the purchase is restored from receipt
What should happen:
- all parts of the app should function without errors
What was happening before this patch:
- some API calls--such as listing products, beginning a purchase, or restoring a receipt--were failing because they were attempting to make a cross-domain request. I think the XHR would fail would status 0 but I forget exactly.
|
||
Comment 10•10 years ago
|
||
Verified as fixed.
Closing bug.
|
|
||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•