Closed Bug 1175674 Opened 10 years ago Closed 9 years ago

CORS failure doesn't give enough details

Categories

(DevTools :: Console, defect)

Product:
DevTools
Component:
Console
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox41 affected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox41 --- affected

People

(Reporter: Harald, Unassigned)

Details

Tested on Serial: YT9112CRGD (State: device) Build ID 20150616235851 Gaia Revision f36b1c0a4fad5d64c4c8e52ac2ac525632a8e673 Gaia Date 2015-06-16 21:53:30 Gecko Revision 3c3d7b9c02a81114bb27142eb1a4fc177709217b Gecko Version 41.0a1 Device Name aries Firmware(Release) 4.4.2 Firmware(Incremental) eng.worker.20150616.234403 Firmware Date Tue Jun 16 23:44:13 UTC 2015 Bootloader s1 Install Tanx via Marketplace: https://marketplace.firefox.com/app/tanx/ or via WebIDE: http://apps.playcanvas.com.s3-website-eu-west-1.amazonaws.com/aW9A2i70/manifest.webapp) Result: The game loads but never joins a game because the CORS WebSocket fails. Security Warning: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://tanx.playcanvas.com/socket/info. (Reason: CORS request failed). Network Inspector: https://cloudup.com/cqyQiZ8-RGG doesn't show any response headers. None of the details really explains why CORS failed.
To add, there is a discrepancy as the app works on Desktop when loading the aws site directly. This needs to be debugged on a phone. ni? on Jeff to add the right people.
Flags: needinfo?(jgriffiths)
Cc'ing Stephen and Christoph. Stephen: it looks like b2g behaves differently than desktop wrt providing reliable / actionable error messages for CORS problems. Is this a known limitation?
Flags: needinfo?(jgriffiths) → needinfo?(sworkman)
I'm not aware of this. Paul manages the FxOS Sec team and might know more.
Flags: needinfo?(sworkman) → needinfo?(ptheriault)
You can get more a little info from logcat: ("adb logcat").I just installed and tried it and this is what I got: E/GeckoConsole( 318): [JavaScript Error: "tanx.playcanvas.com:443 uses an invalid security certificate. E/GeckoConsole( 318): E/GeckoConsole( 318): The certificate is not trusted because the issuer certificate is unknown. E/GeckoConsole( 318): The server might not be sending the appropriate intermediate certificates. E/GeckoConsole( 318): An additional root certificate may need to be imported. E/GeckoConsole( 318): E/GeckoConsole( 318): (Error code: sec_error_unknown_issuer) E/GeckoConsole( 318): "] W/TANX ( 3744): [JavaScript Warning: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://tanx.playcanvas.com/socket/info. (Reason: CORS request failed)."] I wonder if they are related. But it works on Firefox Desktop nightly (and I tested in a nightly FxOS device build) and didnt see that cert error. There are warning for a sha-1 cert but not sure why the two nightlies would differ here. So Im afraid I can't help much other than to suggest that you proxy the traffic and see whats going on. There is some info on how to set a proxy on a device here: https://developer.mozilla.org/en-US/Firefox_OS/Debugging/Intercepting_traffic_using_a_proxy#On_a_device
Flags: needinfo?(ptheriault)
Since security gives additional details, shouldn't the devtools console show these in the security warning?
Flags: needinfo?(ptheriault)
(In reply to Harald Kirschner :digitarald from comment #5) > Since security gives additional details, shouldn't the devtools console show > these in the security warning? I don't know - might be something to with remote debugging vs local debugging?
Flags: needinfo?(ptheriault)
(In reply to Paul Theriault [:pauljt] from comment #6) > (In reply to Harald Kirschner :digitarald from comment #5) > > Since security gives additional details, shouldn't the devtools console show > > these in the security warning? > > I don't know - might be something to with remote debugging vs local > debugging? I wonder if Ryan has some insight on what might be preventing the message from getting through.
Flags: needinfo?(jryans)
(In reply to Jeff Griffiths (:canuckistani) from comment #7) > (In reply to Paul Theriault [:pauljt] from comment #6) > > (In reply to Harald Kirschner :digitarald from comment #5) > > > Since security gives additional details, shouldn't the devtools console show > > > these in the security warning? > > > > I don't know - might be something to with remote debugging vs local > > debugging? > > I wonder if Ryan has some insight on what might be preventing the message > from getting through. I think this is an artifact of how cert security is logging the error. It's likely not being routed to the console in the usual way. So, there's likely a C++ change to be made to improve that. In my testing with the 3.0 simulator, if I: 1. Install as a hosted app using the manifest in WebIDE 2. Start the app 3. Connect the toolbox quickly so network traffic is recorded then in the Network tab, I *do* see a failed request for https://tanx.playcanvas.com/socket/info, which is the first request to that domain. If I go to the Security tab for the request, then it does indeed show the detailed error that ADB also shows: "tanx.playcanvas.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer)" Here are some other things I noticed: * Running the game inside the 3.0 simulator's browser works fine, just like it does on desktop So, something about running as an app is causing a security failure.
Flags: needinfo?(jryans)
jryans, any idea on who could look into this from the network side?
Flags: needinfo?(jryans)
Are still able to reproduce the issues? Testing in simulator 2.5 (now the latest version), it appears to load successfully as both a hosted app and via the Marketplace. I no longer see any security errors.
Flags: needinfo?(jryans) → needinfo?(hkirschner)
I also can not reproduce.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(hkirschner)
Resolution: --- → WORKSFORME
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.