Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2: CORS issues when reducing permissions #101

Open
Cimbali opened this issue Jan 29, 2023 · 1 comment
Open

v2: CORS issues when reducing permissions #101

Cimbali opened this issue Jan 29, 2023 · 1 comment
Labels
bug

Comments

@Cimbali
Copy link
Owner

Cimbali commented Jan 29, 2023

As seen in #100, but also happens when trying to render gitlab pages, the combination of (1) an extension page and (2) not having full host privileges, can cause the extension page to fail to fetch the markdown:

E.g. opening ext+view-markdown:https://gitlab.com/gitlab-org/gitlab-foss/-/raw/master/doc/install/requirements.md
This causes the following error, followed by a link to this docs page:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gitlab.com/gitlab-org/gitlab-foss/-/raw/master/doc/install/requirements.md. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

Here are the headers for that page:

https://gitlab.com/gitlab-org/gitlab-foss/-/raw/master/doc/install/requirements.md
Host: gitlab.com
User-Agent: <user agent>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: <cookie>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
GET: HTTP/2.0 304 Not Modified
date: Sun, 29 Jan 2023 18:29:16 GMT
cache-control: max-age=60, public, must-revalidate, stale-while-revalidate=60, stale-if-error=300, s-maxage=60
content-disposition: inline
content-security-policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/ https://gitlab.com/-/speedscope/index.html https://gitlab.com/-/sandbox/ https://gitlab.com/assets/ blob: data:; connect-src 'self' https://gitlab.com wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net https://sourcegraph.com snowplow.trx.gitlab.net; default-src 'self'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-cloudresourcemanager.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://*.codesandbox.io https://customers.gitlab.com https://*.zuora.com/apps/PublicHostedPageLite.do; img-src * data: blob:; manifest-src 'self'; media-src 'self' data: http: https:; object-src 'none'; report-uri https://sentry.gitlab.net/api/105/security/?sentry_key=a42ea3adc19140d9a6424906e12fba86; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com https://*.zuora.com/apps/PublicHostedPageLite.do 'nonce-TkcXd3d4quEYg7ChmKQ4IQ=='; style-src 'self' 'unsafe-inline'; worker-src https://gitlab.com blob: data:; form-action 'self' https: http: http:
etag: "<hash>"
permissions-policy: interest-cohort=()
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: <hash>
x-runtime: 0.131158
x-ua-compatible: IE=edge
x-xss-protection: 1; mode=block
gitlab-lb: fe-30-lb-gprd
gitlab-sv: web-gke-us-east1-b
cf-cache-status: HIT
age: 12
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Bnt6muaiTZWkJxndIP82FcM3OHoClJbIxFkbqt4xDBLtDpYHwSJMZExV5kgOjcZyibqewwlP168MYXZNukFfGF3lcMe9vzgK1BjB3vMvSdY%2Fo%2FeD1ggNWgjGif5Qn1s2Zlohc8J2nGw%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
strict-transport-security: max-age=31536000
server: cloudflare
cf-ray: 791408493bf9dcbb-LHR
X-Firefox-Spdy: h2

This doesn’t happen when keeping all permissions, or when injecting into the page (i.e. without redirecting to an extension page) from the navigation bar button, because in both cases we have host permissions.
@Cimbali
Copy link
Owner Author

Cimbali commented Jan 29, 2023
edited
Loading

Possible solutions could be:

  • abandon either one of the 2 improvements (at least by default)

  • dynamically ask users for permissions (or for in-page injection), on select hosts (with maybe an option to allow on all hosts too?)

    On the page that shows the message error, we could say the error is likely due to CORS, and offer buttons for:

    1. inject into the page for this domain
    2. inject into the page for all domains (effectively disabling the extension page by default)
    3. temporarily give host permissions for this domain (here gitlab.com)
    4. permanently give host permissions for this domain (here gitlab.com)
    5. permanently give host permissions for all domains

@Cimbali Cimbali added the bug label Jan 29, 2023
Cimbali added a commit that referenced this issue Jun 8, 2023
@Cimbali
Limit extension page to local files
d6d9720 
Due to #101. However, keep:
- `ext+view-markdown:`
- (optional) reduction in permissions
- sandboxed iframe rendering
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Cimbali