Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Coala Online is broken due to CORS #282

Open
joeytwiddle opened this issue Jul 7, 2018 · 7 comments
Open

Coala Online is broken due to CORS #282

joeytwiddle opened this issue Jul 7, 2018 · 7 comments

Comments

@joeytwiddle
Copy link

https://coala.io/#/coalaonline does not work due to the SOP security restrictions in browsers. This is bad for Coala marketing and therefore adoption!

# Chrome console:
Failed to load https://api.gitmate.io/coala_online/: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://coala.io' is therefore not allowed access. The response had HTTP status code 504.

# Firefox console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.gitmate.io/coala_online/. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

We can use CORS to get past these restrictions. (MDN, Wikipedia)

To do that, we must add some HTTP headers to the response provided from api.gitmate.io

Where is the code for that API server? (Is it here?)

@hemangsk
Copy link
Member

hemangsk commented Jul 7, 2018

@joeytwiddle
Copy link
Author

Thank you. I have posted an issue to that project: https://gitlab.com/gitmate/open-source/gitmate-2/issues/392

@Ishaan28malik
Copy link
Member

can i solve this issue please assign me this one .

@Mryashbhardwaj
Copy link

the UI is not responding to the 200 response codes too.
I tried replicating the issue, but couldn't get CORS failers.

@joeytwiddle
Copy link
Author

I took a look at the network requests a few weeks ago. They were different from when I reported this bug.

I think that something else is going wrong now! (The CORS issue might be fixed, not sure.)

@ryanleonbutler
Copy link

I see this issue is still open, however I could not replicate the issue from my side. I see no CORS errors in the Console tab when using my Chrome Developer Tools.
See screenshot:
no_errors

Further to this, it seems this asset is no longer available:
https://api.gitmate.io/coala_online

Just for clarity purposes, CORS has two types of requests, simple and complex. With reference to the former, you will note if the Origin header is present in the request, a successful request is made and the relevant CORS headers are returned in the response, for example:

$ curl -X GET -vLo /dev/null https://coala.io/#/coalaonline -H "Origin: coala.io"

...
< HTTP/2 200
< access-control-allow-origin: *
...

However, should we simulate a complex CORS request (when making PUT request), the browser actually makes a pre-flight request, using the OPTIONS HTTP method. If the correct headers are returned in the response for the pre-flight request, then the actual HTTP request is made, for example:

Simulated pre-flight check from the browser, using the OPTIONS method:
$ curl -X OPTIONS -vLo /dev/null https://coala.io/#/coalaonline -H "Origin: coala.io"

...
< HTTP/2 405
< access-control-allow-origin: *
...

You will note this time I get a 405 because the OPTIONS method is not allowed for this website, https://coala.io/#/coalaonline.

With the above in mind, it is possible that some website assets on this page at that time were performing complex CORS requests and the destination host (https://api.gitmate.io/coala_online), serving the CORS request, the pre-flight check from the browser failed. The other possibility is that the host that is serving assets for any CORS requests, simply does not have a CORS policy configured or is too restrictive.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Just my two cents :)

I presume we can close this issue then?

@joeytwiddle
Copy link
Author

I don't think it makes sense to close the issue, because Coala Online is still not working.

Thanks for your examples @ryanleonbutler, although I think they should be targetting https://api.gitmate.io/coala_online/ since that is the API request that is failing.

But as you say, api.gitmate.io is offline at the moment. That's why we don't see any CORS error.

So the task now is to get api.gitmate.io restored, or something equivalent to it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

6 participants