Closed Bug 1401361 Opened 8 years ago Closed 8 years ago

Please allow cross-origin requests to symbols.mozilla.org

Categories

(Socorro :: Symbols, task)

Product:
Socorro
Component:
Symbols
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mstange, Assigned: peterbe)

Details

Attachments

(2 files)

testcase
587 bytes, text/html
Details
Link to GitHub pull-request: https://github.com/mozilla-services/tecken/pull/424
51 bytes, text/x-github-pull-request
Details | Review
Attached file testcase
I'd like to access symbol dumps from perf-html.io so that existing profiles can be symbolicated without going through the Gecko Profiler add-on ( https://github.com/devtools-html/perf.html/issues/253 ). In order to do that, I need to fetch symbol dumps from symbols.mozilla.org from unprivileged website JavaScript. This is currently impossible because symbols.mozilla.org does not send Access-Control-Allow-Origin headers. Could these headers be added?
Flags: needinfo?(peterbe)
Greg, Can you think of any reason NOT to add CORS * headers to symbol download? I'll add it for Symbol Download only. There's "no security" there meaning we don't set or read cookies since all symbol download is public. Markus, symbols.mozilla.org is just a fancy redirect proxy for a public S3 bucket. (legacy rewriting, logging of 404s, etc) For example, a URL like https://symbols.mozilla.org/AcSpecfc.pdb/8189FB0512D03FB92C11242622E9060D1/AcSpecfc.sym will always 302 redirect to a URL like https://s3-us-west-2.amazonaws.com/org.mozilla.crash-stats.symbols-public/v1/AcSpecfc.pdb/8189FB0512D03FB92C11242622E9060D1/AcSpecfc.sym?AWSAccessKeyId=AKIAIWM6JYWLRUT4R6OQ&Signature=dDX%2FYoss%2BzBGMFPX2xSG%2BlHvAyo%3D&Expires=1506951517 It's never occurred to me whether that needs CORS headers too.
Flags: needinfo?(peterbe) → needinfo?(gguthe)
(In reply to Peter Bengtsson [:peterbe] from comment #1) > Greg, > Can you think of any reason NOT to add CORS * headers to symbol download? > Easier DOS and it probably gives uploaders stored XSS in older browsers that support content sniffing (like FXA-01-004), but those risks are limited and I think this is OK since the data is public. Like you mentioned we should limit this to the download endpoints. I'd recommend restricting this to GETs too: Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET
Flags: needinfo?(gguthe)
Assignee: nobody → peterbe
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Markus, This bug auto-resolves as soon as the code hits master but it'll be a couple of days until this goes to prod. (See https://whatsdeployed.io/s-5HY for the big scary "backlog") If you have a hackaround to tie you over perhaps you can use that for a couple more days. If not please ping me and I'll try to make sure a new release goes out sooner.
Thanks! The bug that I need this for is a long-standing issue and I don't mind waiting a few more days, so there's no need to rush this fix out.
Hi Peter, what's the status of this fix? If it has already been deployed, it doesn't seem to be working: The testcase still prints a NetworkError.
Flags: needinfo?(peterbe)
(In reply to Markus Stange [:mstange] from comment #7) > Hi Peter, > what's the status of this fix? If it has already been deployed, it doesn't > seem to be working: The testcase still prints a NetworkError. The change has made it to symbols.mozilla.org. You can see it with:: curl -v https://symbols.mozilla.org/libnssckbi.so/0DE8531E9AD93B4ABF2D2D7AC7A292F10/libnssckbi.so.sym > /dev/null However, that URL, as you can see, redirects to:: https://s3-us-west-2.amazonaws.com/org.mozilla.crash-stats.symbols-public/v1/libnssckbi.so/0DE8531E9AD93B4ABF2D2D7AC7A292F10/libnssckbi.so.sym?AWSAccessKeyId=AKIAIWM6JYWLRUT4R6OQ&Signature=GYWsI0qrnayvrJ8k3rTy13bpEC0%3D&Expires=1511792067 (which is a generated temporary URL) And that does NOT have a `Access-Control-Allow-Origin: *` header. It's part of AWS S3. In other words, if you want to actually download these files in your browser, you can't. We control the uploads to S3 so we could potentially control those headers too.
Flags: needinfo?(peterbe)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: