Treestatus CORS header is no longer a wildcard, blocking Treeherder



a year ago
a year ago


(Reporter: KWierso, Assigned: garbas)


Firefox Tracking Flags

(Not tracked)




a year ago
If you load

The Treestatus icon in the header will show as '?'. And the reason shown in the dropdown is "Error reaching".

Looking in the network monitor, requests go out to which responds with > result: {
  message_of_the_day: "",
  reason: "",
  status: "approval required",
  tree: "mozilla-esr45"

I'm also seeing CORS issues logged to the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Maybe related: bug 1353753 ?
Looks the wildcard has been removed from the CORS header, and now only `` whitelisted:

$ curl -IL
HTTP/1.1 200 OK
Connection: keep-alive
Server: gunicorn/19.7.1
Date: Mon, 05 Jun 2017 18:35:25 GMT
Content-Type: application/json
Content-Length: 133
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: style-src 'self' 'unsafe-inline'; connect-src 'self'; script-src 'self' 'unsafe-inline'; default-src 'none'; img-src 'self'
X-Content-Security-Policy: style-src 'self' 'unsafe-inline'; connect-src 'self'; script-src 'self' 'unsafe-inline'; default-src 'none'; img-src 'self'
Via: 1.1 vegur
Component: Treeherder → TreeStatus
Flags: needinfo?(rgarbas)
Product: Tree Management → Release Engineering
QA Contact: catlee


a year ago
Summary: Treestatus is showing as '?' for all trees. → Treestatus CORS header doesn't allow Treeherder


a year ago
Assignee: nobody → rgarbas
Flags: needinfo?(rgarbas)

Comment 2

a year ago
as explained in [github comment]( I've added to CORS_ORIGINS and restarted releng treestatus heroku app.

I can confirm that is now working correctly. Please reopen if this is not the case.
Last Resolved: a year ago
Resolution: --- → FIXED
Thank you for adjusting the header.

However we still really need the wildcard header, otherwise it breaks Treeherder stage/prototype/local development and any other webapps that read the API. In the future it would be really useful to have emails sent to mailing lists and also grep access logs to see who consumes the API before breaking changes are made.

Let's continue the discussion here:

Plus I've filed some other issues to ease debugging of the mozilla-releng/services apps in the future, since the current setup was a bit confusing and lengthened the time taken to debug:

...and also a ticket against Heroku for them to actually display in the UI when an app is using the non-standard container registry/runtime method:
Summary: Treestatus CORS header doesn't allow Treeherder → Treestatus CORS header is no longer a wildcard, blocking Treeherder
And resolved :-)

$ curl -sSfIL | grep Access
Access-Control-Allow-Origin: *
You need to log in before you can comment on or make changes to this bug.