Closed Bug 1796977 Opened 3 years ago Closed 3 years ago

Backgroud Script Cross-Origin Requests fail

Categories

(WebExtensions :: Request Handling, defect)

Product:
WebExtensions
Component:
Request Handling
Version:
Firefox 106
Type:
defect

Tracking

(firefox106 affected, firefox107 affected, firefox108 affected)

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox106 --- affected
firefox107 --- affected
firefox108 --- affected

People

(Reporter: cp.piber, Unassigned)

Details

Attachments

(2 files)

bug-1.0.zip
1.04 KB, application/zip
Details
2022-10-26_09h57_02.png
27.23 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0

Steps to reproduce:

  • Call fetch in background script

Note: URL is covered by permissions.
In this case, request is made to https://talent.nebula.tv/creators/. Permissions are for '*://*.nebula.tv/*', further specifying the subdomain does not help.

(Problem persists in Nightly 108.0a1)

Actual results:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <url> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

Expected results:

The request to go through. As https://bugzilla.mozilla.org/show_bug.cgi?id=1607154 and https://bugzilla.mozilla.org/show_bug.cgi?id=1578405 established, cross-origin requests should go through.

In Chrome this works.

In case that is relevant, extension is v2. Developer tools show chrome://devtools/content/shared/webextension-fallback.html, even though it's a background page.

Seems to have worked until a few weeks ago, but that might be because the CORS on the page changed, since testing as far back as 99, the behavior is the same.

Hello cp.piber,

I’m from QA and I’m attempting to reproduce the issue. Could you provide an example extension and exact steps to reproduce? Thank you !

Flags: needinfo?(cp.piber)
Attached file bug-1.0.zip

I've attached a minimal extension. It should have access to "://.nebula.tv/*" from the content script, but the request fails.

To test, please install the extension on about:debugging and open the inspector console. Click the browser action, it should make the request, you'll see the CORS error in the console.

Flags: needinfo?(cp.piber)

Hello and thank you for the additional details !

I reproduced the issue on the latest Nightly (108.0a1/20221025094808), Beta (107.0b4/20221023190001) and Release (106.0.1/20221019185550) under Windows 10 x64 and Ubuntu 16.04 LTS.

Clicking the browser action will log a CORS error in the extension console as mentioned in the Actual of Comment 0.

For further details, see the attached screenshot.

Status: UNCONFIRMED → NEW
status-firefox106: --- → affected
status-firefox107: --- → affected
status-firefox108: --- → affected
Ever confirmed: true
Attached image 2022-10-26_09h57_02.png

Thank you :) During further testing I noticed that explicitly adding the match to the permissions key works. It definitely seems like a bug that it has to be requested several times (maybe related to subdomains? I noticed that I have to specifically request permissions for subsubdomains in content scripts as well, despite no CORS).

The severity field is not set for this bug.
:willdurand, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(wdurand)

The permissions key is necessary if you want to make cross-origin requests.

In MV3 the key is host_permissions.

In any case, this is not a bug in Firefox, but a misunderstanding of an extension developer.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(wdurand)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: