MozillaZine

Webextension XHR request issue

Talk about add-ons and extension development.
smellyfinger

User avatar
 
Posts: 26
Joined: January 11th, 2014, 9:54 am

Post Posted February 26th, 2017, 1:28 pm

From my addon's popup code I'm sending an XHR request to localhost using AngularJS with some headers. Like that:
Code: Select all
$http({
          method: "POST",
          url: "http://localhost:8000/path/to/api/",
          headers: {
            'Authorization': "stuff",
            'Accept': "application/json"
          },
          data: {
            addon_version: browser.runtime.getManifest().version
          }
        })

The server doesn't receive those headers and so the request doesn't work. The header names end up in Access-Control-Request-Headers header though so it has the value content-type,accept,authorization.
Now I've come over this page https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers which says that this is the preflight request.
My server is not configured for CORS and I have added host permission to access my localhost in manifest.json:
Code: Select all
"permissions": [
    "*://localhost:8000/*",
    "storage",
    "notifications"
  ]

So why does Firefox treat me like that?

lithopsian
 
Posts: 3635
Joined: September 15th, 2010, 9:03 am

Post Posted February 27th, 2017, 4:39 am

application/json triggers a preflight request. Using a content type such as text/plain will just send your request without first sending the preflight. Of course the server might not understand that it is JSON.

Presumably the preflight is failing because the server won't accept it? Perhaps OPTIONS is not one of the allowed http types?

smellyfinger

User avatar
 
Posts: 26
Joined: January 11th, 2014, 9:54 am

Post Posted February 28th, 2017, 9:07 pm

Thank you @lithopsian.
I think the Authorization header was the trigger for the preflight. It's still kind of strange that the browser treats all XHR requests from the addon as cross-origin with the same-origin concept maybe unrelated to the addon and also not mentioning that fact in the docs.
I'll have to configure my server for CORS then. That shouldn't be an issue but what origins should I allow?
The preflight sent from Firefox has the origin set to: 'moz-extension://e77d7dda-4ced-e948-8a43-20e899997f0c'.
Is that something I can depend on being the same value for my addon even with updates?

lithopsian
 
Posts: 3635
Joined: September 15th, 2010, 9:03 am

Post Posted March 1st, 2017, 1:29 pm

moz-extension: protocol landed in Firefox 42:
https://bugzilla.mozilla.org/show_bug.cgi?id=1161831

smellyfinger

User avatar
 
Posts: 26
Joined: January 11th, 2014, 9:54 am

Post Posted March 1st, 2017, 11:49 pm

Thanks.
From a comment in this page https://support.mozilla.org/t5/Firefox/ ... -p/1331402 (which I can't currently link to it directly), the value is machine-specific so I can't really use that in allowed origins. I'll try to find a workaround and maybe post here.

smellyfinger

User avatar
 
Posts: 26
Joined: January 11th, 2014, 9:54 am

Post Posted March 2nd, 2017, 1:39 am

I configured my server for CORS and now the preflight is going fine. The problem is that the browser is not following it with the actual POST I sent.
Here's a screenshot from Firefox devtools:
http://imgur.com/zvrQUSS

Only the OPTIONS preflight is sent on the left side. I also highlighted the response header on the right that effectively allows the moz-extension protocol.
Is that a bug in Firefox?

lithopsian
 
Posts: 3635
Joined: September 15th, 2010, 9:03 am

Post Posted March 2nd, 2017, 8:06 am

Apparently the UUID part of the URL is randomly generated for each browser instance to avoid the possibility of fingerprinting. Of course that in itself allows for fingerprinting but possibly less harmful?

Not sure why the post doesn't follow. Have you tried it with hard-coded data? Is there nothing in the error console?

smellyfinger

User avatar
 
Posts: 26
Joined: January 11th, 2014, 9:54 am

Post Posted March 2nd, 2017, 9:47 pm

There are no errors in the console. just a few warnings from angular.js file itself, not my code which i think don't matter. can the issue be with Firefox?

lithopsian
 
Posts: 3635
Joined: September 15th, 2010, 9:03 am

Post Posted March 3rd, 2017, 1:45 pm

Have you tried configuring the server (temporarily) to send back Access-Control-Allow-Origin: *. Maybe Firefox is taking the moz-extension header as a rejection.

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 3 guests