Closed Bug 1747089 Opened 3 years ago Closed 2 years ago

CORS missing allow origin header with the domain used for the Mozilla Matrix server

Categories

(www.mozilla.org :: General, defect)

Product:
www.mozilla.org
Component:
General
Version:
Production
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: sdk, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

image.png
13.19 KB, image/png
Details
Attached image image.png

A user reported in #synchronicity:mozilla.org that using mozilla.org (without the "www") returns a "CORS missing allow origin header" error.

It looks like https://www.mozilla.org/.well-known/matrix/client does have the CORS headers, https://mozilla.org/.well-known/matrix/client (without the www prefix) doesn't.

ni? :mhoye since there's no triage owner for this component.

Flags: needinfo?(mhoye)

Hi Danny - thanks for the report.

(I'm not a Matrix contributor, but mozilla.org hosts the files that aren't loading as expected for the reporting user, and my team runs that site, so am curious...)

I can replicate on chat.mozilla.org just by loading any room and looking in Developer Tools for the errors in your screenshot.

Expanding those error rows, it shows that https://mozilla.org/.well-known/matrix/client is redirecting (via a 301) to the www.mozilla.org subdomain (which is what one gets see with FF, curl, etc, too).

So, general question to anyone / thinking aloud:

  • Is this an SRE-level configuration thing where Matrix needs to be told to use the www subdomain to access /.well-known/matrix/client?
  • Is it a niggle/edge-case in Matrix that isn't expecting a 301 and therefore not handling it?

In answer to this, looking quickly at the setup docs (https://matrix-org.github.io/synapse/latest/setup/installation.html#client-well-known-uri) it seems to depends on what the formal server name is - and if that is/has to be mozilla.org, I think we might have to find a way to serve those particular files without the redirect to www.m.o

Would welcome a view from someone with more SRE context, though.

And a specific question to Danny: is this currently causing the reporting user any problem/lack of functionality? eg is it blocking access, as far as you know?

Cheers
Steve

On question of problems with this setup, yes there’s problem. Matrix recommend to only remember your user id (eg. @test:mozilla.org) and user should expect clients to get homeserver from their user id but when using user id of mozilla homeserver, client is unable to get homerserver information.

BTW I am not technical enough to solve the problem but from what I observed in other homerserver settings that what you have under www.mozilla.org should be under mozilla.org

@Steve Any updates on this?

Hi Tulmi - I'm not on the team directly handling the related setup, but I'll do some gentle chasing now that colleagues are returning from some time away from work.

Hi all - Just a note, this was forwarded to Web SRE (the team that owns the infra here) before Christmas, and its on our to-do list to re-approach a started repair this week. We're just waiting on one more colleague to return, as some of the work to repair this issue in the past has some open questions we're tracking down on our side.

Will update ticket shortly when more is known and we have an engineer to pick up the repair.

I'm a little reluctant to modify mozilla.org's redirect to be Access-Control-Allow-Origin: *, not entirely sure what the impact of that change would be across all of our properties.

To anyone on the ticket - do those errors mean anything in terms of user impact? Not really sure it's worth time or effort to fix if it's just some console errors.

It seems like the smaller change would be to reconfigure matrix to go directly to the correct well-known file. Web-sre doesn't own matrix, so that'll have to be a @mhoye thing. I assume that we could just go add the www to the current configuration of matrix and solve our problem. No one on our team has access to do that.

To anyone on the ticket - do those errors mean anything in terms of user impact?

Someone in a previous comment mentioned it could impact the homeserver auto-discovery at login in a matrix client. I think that's something whoever is in charge (I'm guessing mhoye) of the matrix server should ask to the EMS/Matrix support team.

It is limiting functionality.
Similarly to an e-mail address, a Matrix ID contains a server name, e.g. @notramo:grin.hu, which should host a .well-known file to the actual Matrix server, which can be at an entirely different domain. That .well-known file serves the same purpose as having @example.org in the e-mail address, and having an MX DNS record that points to e.g. mail.example.org
In-browser Matrix clients (e.g. Element Web, or Cinny) can't load the .well-known file if it is missing the appropriate CORS headers because the browser blocks them, meaning that they can't log in using their Matrix ID.

It seems like the smaller change would be to reconfigure matrix to go directly to the correct well-known file.

You can't reconfigure it as it's not a server side thing, but client side, and it's in the spec.
It works in non-browser clients, where CORS headers don't matter.

I'm a little reluctant to modify mozilla.org's redirect to be Access-Control-Allow-Origin: *, not entirely sure what the impact of that change would be across all of our properties.

It should be only modified to that one specific file, not for the entire site.

I think that's something whoever is in charge (I'm guessing mhoye) of the matrix server should ask to the EMS/Matrix support team.

They can't do anything about it, because the error is with client side browser security policy.

I think that's something whoever is in charge (I'm guessing mhoye) of the matrix server should ask to the EMS/Matrix support team.
They can't do anything about it, because the error is with client side browser security policy.

@Christina Harlow, @Alan Alexander: Can you please look at it again as notramo explained it's a Web SRE thing? Also as notramo said, it is limiting functionality and not just a console error.

We released a change that should provide the correct headers at the /.well-known/matrix/client path. I tested and it all worked for me.

Thanks for reporting!

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Flags: needinfo?(mhoye)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: