Closed Bug 1370311 Opened 7 years ago Closed 7 years ago

Treestatus CORS header is no longer a wildcard, blocking Treeherder

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KWierso, Assigned: garbas)

Details

If you load https://treeherder.mozilla.org/#/jobs?repo=mozilla-esr45&fromchange=d9d4374f89440e9449e5a2c1e2fe261551bbea71&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-classifiedState=unclassified

The Treestatus icon in the header will show as '?'. And the reason shown in the dropdown is "Error reaching api.pub.build.mozilla.org/treestatus".


Looking in the network monitor, requests go out to https://treestatus.mozilla-releng.net/trees/mozilla-esr45 which responds with > result: {
  message_of_the_day: "",
  reason: "",
  status: "approval required",
  tree: "mozilla-esr45"
}


I'm also seeing CORS issues logged to the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://treestatus.mozilla-releng.net/trees/mozilla-esr45. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).



Maybe related: bug 1353753 ?
Looks the wildcard has been removed from the CORS header, and now only `https://mozilla-releng.net` whitelisted:

$ curl -IL https://treestatus.mozilla-releng.net/trees/mozilla-esr45
HTTP/1.1 200 OK
Connection: keep-alive
Server: gunicorn/19.7.1
Date: Mon, 05 Jun 2017 18:35:25 GMT
Content-Type: application/json
Content-Length: 133
Access-Control-Allow-Origin: https://mozilla-releng.net
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: style-src 'self' 'unsafe-inline'; connect-src 'self'; script-src 'self' 'unsafe-inline'; default-src 'none'; img-src 'self'
X-Content-Security-Policy: style-src 'self' 'unsafe-inline'; connect-src 'self'; script-src 'self' 'unsafe-inline'; default-src 'none'; img-src 'self'
Via: 1.1 vegur
Component: Treeherder → TreeStatus
Flags: needinfo?(rgarbas)
Product: Tree Management → Release Engineering
QA Contact: catlee
Summary: Treestatus is showing as '?' for all trees. → Treestatus CORS header doesn't allow Treeherder
Assignee: nobody → rgarbas
Flags: needinfo?(rgarbas)
as explained in [github comment](https://github.com/mozilla-releng/services/issues/366#issuecomment-306467029) I've added https://treeherder.mozilla.org to CORS_ORIGINS and restarted releng treestatus heroku app.

I can confirm that https://treeherder.mozilla.com is now working correctly. Please reopen if this is not the case.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Thank you for adjusting the header.

However we still really need the wildcard header, otherwise it breaks Treeherder stage/prototype/local development and any other webapps that read the API. In the future it would be really useful to have emails sent to mailing lists and also grep access logs to see who consumes the API before breaking changes are made.

Let's continue the discussion here:
https://github.com/mozilla-releng/services/issues/366

Plus I've filed some other issues to ease debugging of the mozilla-releng/services apps in the future, since the current setup was a bit confusing and lengthened the time taken to debug:
https://github.com/mozilla-releng/services/issues/367
https://github.com/mozilla-releng/services/issues/368
https://github.com/mozilla-releng/services/issues/369

...and also a ticket against Heroku for them to actually display in the UI when an app is using the non-standard container registry/runtime method:
https://help.heroku.com/tickets/483981
Summary: Treestatus CORS header doesn't allow Treeherder → Treestatus CORS header is no longer a wildcard, blocking Treeherder
And resolved :-)

$ curl -sSfIL https://treestatus.mozilla-releng.net/trees/mozilla-central | grep Access
Access-Control-Allow-Origin: *
Component: Applications: TreeStatus → General
You need to log in before you can comment on or make changes to this bug.