Allow cross-domain XHR requests on the self-serve API

RESOLVED FIXED

Status

P2
normal
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: Ehsan, Assigned: catlee)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
+++ This bug was initially created as a clone of Bug #646487 +++

This is another thing that we need for integration of self-serve APIs with TBPL.
(Reporter)

Updated

8 years ago
No longer depends on: 646487
(Assignee)

Comment 1

8 years ago
What's the exact header name/value you want?
(Reporter)

Comment 2

8 years ago
(In reply to comment #1)
> What's the exact header name/value you want?

Unfortunately because we need to send DELETE requests, we should support preflighted requests <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>.  This is a lot more complicated than I thought... :(
(Assignee)

Comment 3

8 years ago
(In reply to comment #2)
> (In reply to comment #1)
> > What's the exact header name/value you want?
> 
> Unfortunately because we need to send DELETE requests, we should support
> preflighted requests
> <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>. 
> This is a lot more complicated than I thought... :(

You can send POST with a parameter _method=DELETE
(Reporter)

Comment 4

8 years ago
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > What's the exact header name/value you want?
> > 
> > Unfortunately because we need to send DELETE requests, we should support
> > preflighted requests
> > <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>. 
> > This is a lot more complicated than I thought... :(
> 
> You can send POST with a parameter _method=DELETE

In that case, specifying this header should be all that is needed:

Access-Control-Allow-Origin: *
(Assignee)

Updated

8 years ago
Assignee: nobody → catlee
Priority: -- → P2
Blocks: 634915
We need to allow the user's HTTP credentials to be used when accessing the self-serve API.  By my reading of CORS, this means we need to send

  Access-Control-Allow-Origin: tbpl.mozilla.org
  Access-Control-Allow-Credentials: true

since it says you can't use "*" when making cross-origin requests with credentials.  That might be problematic for those running their own TBPL instances on different hosts.
(Reporter)

Comment 6

8 years ago
So, this might be stupid, but do we want to look at the Referer header (if set by the browser) and set Access-Control-Allow-Origin based on the hostname in use (and fall back to tbpl.m.o if it's not set)?
Would that mean anyone could write a page that could cancel/trigger builds using the user's current credentials?  Seems like that might be a problem, so I think it would be better to whitelist people's individual tbpl variants.
I propose the following headers be sent by the self-serve API pages:

  Access-Control-Allow-Origin: tbpl.mozilla.org, tests.themasta.com, dev.philringnalda.com, bbpl.dbaron.org, tbpl.mcc.id.au
  Access-Control-Allow-Credentials: true

They're the TBPL instances I'm aware of.  (The last one is where I'm testing bug 634915 work, which needs this cross-domain access.)
Sorry, should be this:

  Access-Control-Allow-Origin: http://tbpl.mozilla.org http://tests.themasta.com http://dev.philringnalda.com http://bbpl.dbaron.org http://tbpl.mcc.id.au
  Access-Control-Allow-Credentials: true
(Reporter)

Comment 10

8 years ago
(In reply to comment #9)
> Sorry, should be this:
> 
>   Access-Control-Allow-Origin: http://tbpl.mozilla.org
> http://tests.themasta.com http://dev.philringnalda.com http://bbpl.dbaron.org
> http://tbpl.mcc.id.au
>   Access-Control-Allow-Credentials: true

If that's how we should be playing, please add http://ehsanakhgari.org too.
(Assignee)

Comment 11

8 years ago
Created attachment 525793 [details] [diff] [review]
Add ControlHeaders middleware
(Assignee)

Updated

8 years ago
Attachment #525793 - Flags: review?(bear)

Updated

8 years ago
Attachment #525793 - Flags: review?(bear) → review+
(Assignee)

Comment 12

8 years ago
Comment on attachment 525793 [details] [diff] [review]
Add ControlHeaders middleware

http://hg.mozilla.org/build/buildapi/rev/529092a87932
Attachment #525793 - Flags: checked-in+
(Assignee)

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Blocks: 649922
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.