CORS missing allow origin header with the domain used for the Mozilla Matrix server
Categories
(www.mozilla.org :: General, defect)
Tracking
(Not tracked)
People
(Reporter: sdk, Unassigned)
References
()
Details
Attachments
(1 file)
13.19 KB,
image/png
|
Details |
A user reported in #synchronicity:mozilla.org that using mozilla.org (without the "www") returns a "CORS missing allow origin header" error.
It looks like https://www.mozilla.org/.well-known/matrix/client does have the CORS headers, https://mozilla.org/.well-known/matrix/client (without the www prefix) doesn't.
Reporter | ||
Comment 1•3 years ago
|
||
ni? :mhoye since there's no triage owner for this component.
Comment 2•3 years ago
|
||
Hi Danny - thanks for the report.
(I'm not a Matrix contributor, but mozilla.org hosts the files that aren't loading as expected for the reporting user, and my team runs that site, so am curious...)
I can replicate on chat.mozilla.org just by loading any room and looking in Developer Tools for the errors in your screenshot.
Expanding those error rows, it shows that https://mozilla.org/.well-known/matrix/client is redirecting (via a 301) to the www.mozilla.org subdomain (which is what one gets see with FF, curl, etc, too).
So, general question to anyone / thinking aloud:
- Is this an SRE-level configuration thing where Matrix needs to be told to use the www subdomain to access /.well-known/matrix/client?
- Is it a niggle/edge-case in Matrix that isn't expecting a 301 and therefore not handling it?
In answer to this, looking quickly at the setup docs (https://matrix-org.github.io/synapse/latest/setup/installation.html#client-well-known-uri) it seems to depends on what the formal server name is - and if that is/has to be mozilla.org
, I think we might have to find a way to serve those particular files without the redirect to www.m.o
Would welcome a view from someone with more SRE context, though.
And a specific question to Danny: is this currently causing the reporting user any problem/lack of functionality? eg is it blocking access, as far as you know?
Cheers
Steve
Comment 3•3 years ago
|
||
On question of problems with this setup, yes there’s problem. Matrix recommend to only remember your user id (eg. @test:mozilla.org) and user should expect clients to get homeserver from their user id but when using user id of mozilla homeserver, client is unable to get homerserver information.
BTW I am not technical enough to solve the problem but from what I observed in other homerserver settings that what you have under www.mozilla.org should be under mozilla.org
Comment 4•3 years ago
|
||
@Steve Any updates on this?
Comment 5•3 years ago
•
|
||
Hi Tulmi - I'm not on the team directly handling the related setup, but I'll do some gentle chasing now that colleagues are returning from some time away from work.
Comment 6•3 years ago
|
||
Hi all - Just a note, this was forwarded to Web SRE (the team that owns the infra here) before Christmas, and its on our to-do list to re-approach a started repair this week. We're just waiting on one more colleague to return, as some of the work to repair this issue in the past has some open questions we're tracking down on our side.
Will update ticket shortly when more is known and we have an engineer to pick up the repair.
Comment 7•3 years ago
|
||
I'm a little reluctant to modify mozilla.org's redirect to be Access-Control-Allow-Origin: *, not entirely sure what the impact of that change would be across all of our properties.
To anyone on the ticket - do those errors mean anything in terms of user impact? Not really sure it's worth time or effort to fix if it's just some console errors.
It seems like the smaller change would be to reconfigure matrix to go directly to the correct well-known file. Web-sre doesn't own matrix, so that'll have to be a @mhoye thing. I assume that we could just go add the www to the current configuration of matrix and solve our problem. No one on our team has access to do that.
Reporter | ||
Comment 8•3 years ago
|
||
To anyone on the ticket - do those errors mean anything in terms of user impact?
Someone in a previous comment mentioned it could impact the homeserver auto-discovery at login in a matrix client. I think that's something whoever is in charge (I'm guessing mhoye) of the matrix server should ask to the EMS/Matrix support team.
It is limiting functionality.
Similarly to an e-mail address, a Matrix ID contains a server name, e.g. @notramo:grin.hu, which should host a .well-known file to the actual Matrix server, which can be at an entirely different domain. That .well-known file serves the same purpose as having @example.org in the e-mail address, and having an MX DNS record that points to e.g. mail.example.org
In-browser Matrix clients (e.g. Element Web, or Cinny) can't load the .well-known file if it is missing the appropriate CORS headers because the browser blocks them, meaning that they can't log in using their Matrix ID.
It seems like the smaller change would be to reconfigure matrix to go directly to the correct well-known file.
You can't reconfigure it as it's not a server side thing, but client side, and it's in the spec.
It works in non-browser clients, where CORS headers don't matter.
I'm a little reluctant to modify mozilla.org's redirect to be Access-Control-Allow-Origin: *, not entirely sure what the impact of that change would be across all of our properties.
It should be only modified to that one specific file, not for the entire site.
I think that's something whoever is in charge (I'm guessing mhoye) of the matrix server should ask to the EMS/Matrix support team.
They can't do anything about it, because the error is with client side browser security policy.
Comment 10•3 years ago
|
||
I think that's something whoever is in charge (I'm guessing mhoye) of the matrix server should ask to the EMS/Matrix support team.
They can't do anything about it, because the error is with client side browser security policy.
@Christina Harlow, @Alan Alexander: Can you please look at it again as notramo explained it's a Web SRE thing? Also as notramo said, it is limiting functionality and not just a console error.
Reporter | ||
Updated•2 years ago
|
Comment 11•2 years ago
|
||
We released a change that should provide the correct headers at the /.well-known/matrix/client
path. I tested and it all worked for me.
Thanks for reporting!
Reporter | ||
Updated•2 years ago
|
Description
•