gateway redirect messes up CORS headers on firefox

[fahrradflucht]

Browser: Firefox 59.0.2
AddOn Version: IPFS Companion (RC1@fb21b6d) 2.2.0.8540 or IPFS Companion 2.1.0

Given this webpage:

<!DOCTYPE html>
<html>

<body>
    <button onclick="window.fetchFromPublicGateway()">Fetch from public gateway.</button>
    <button onclick="window.fetchFromLocalGateway()">Fetch from local gateway.</button>
    <script>
        window.fetchFromPublicGateway = () => {
            fetch("https://ipfs.io/ipfs/QmejvEPop4D7YUadeGqYWmZxHhLc4JBUCzJJHWMzdcMe2y")
                .then(res => res.text())
                .then(console.log)
                .catch(console.log)
        }

        window.fetchFromLocalGateway = () => {
            fetch("http://localhost:8080/ipfs/QmejvEPop4D7YUadeGqYWmZxHhLc4JBUCzJJHWMzdcMe2y")
                .then(res => res.text())
                .then(console.log)
                .catch(console.log)
        }
    </script>
</body>

</html>

when clicking on the public gateway button firefox will cancel the request and issue a same-origin-policy warning due to missing CORS headers even though the local gateway has the necessary CORS-headers set which can be checked clicking the other button (be sure to check which origin you are accessing the document when using the IPFS link).

I checked Chrome 65 for comparison and the issue isn't present.

[lidel]

Thank you for the sample app, it made reproducing it much easier 👍

Upon inspection of the onBeforeRequest hook Firefox indeed blocks XHR right after redirect:

Chrome does not block redirect, second call has updated url field:

I'll look into it this week.

[lidel]

It seems to be a bug in Firefox (see findings below).

I filled an upstream bug:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1450965

Steps to Reproduce

I created a minimal PoC extension to confirm that the problem is not companion-specific: ipfs-companion-cors-issue-436-mvp.zip

1. Make sure IPFS Companion is disabled at about:addons (we don't want to have race conditions)
2. Load poc extension into Firefox and Chrome
3. Extension opens the test page at ipfs.io
   1. page provides two buttons for fetching the same resource from two different gateways: ipfs.io (the host used for loading test page) and ipfs.infura.io (3rd party host)
   2. the extension registers onBeforeRequest hook that redirects fetch for the resource from ipfs.infura.io to ipfs.io (this will trigger the bug)

Chrome: Success, No Error

Both buttons result in a successful fetch and This is a string downloaded via JS fetch being printed to the console:

Firefox: CORS Error

Only the first button results in a successful fetch, second button triggers CORS error.
Firefox blocks JS fetch due to CORS.

[Mithgol]

Note to self: for the same bogus reason Firefox prevents Pannellum from using IPFS-hosted images (rerouted by IPFS Companion) as WebGL textures.

[lidel]

Another thing that is broken by this issue: https://ipfs.github.io/public-gateway-checker/
(gateway checker got updated to opt-out from redirects since then)

[lidel]

Due to discrepancy between how Chrome and Firefox handle CORS validation in webRequest.onBeforeRequest context the upstream fix may take longer than expected.

To mitigate the situation, I decided to disable redirect for cross-origin XHRs that would fail anyway, restoring original functionality to websites impacted by this issue.

See PR #494 – it is an interesting edge case, so feedback would be appreciated.

[lidel]

Merged Firefox-only workaround from #494 and released it to beta channel as v2.3.0.9590 and stable as v2.3.1.
It no longer breaks valid websites. Will promote it to stable in a few days.

Let's keep this issue open until https://bugzilla.mozilla.org/show_bug.cgi?id=1450965 is closed.

[lidel]

To restore feature parity between browsers, I decided to enable gateway redirect for CORS XHRs in Firefox using late redirects at a price of small overhead. Details in PR #511.

[lidel]

Merged #511 and released to beta channel as v2.4.0.10190.
If no issues, we will promote it to stable in a few days.

[lidel]

According to https://bugzilla.mozilla.org/show_bug.cgi?id=1450965#c33 the bug will be fixed in Firefox 69.

I am reopening this, so we don't forget to remove workaround introduced in #511 when FF69 lands to the stable channel in September (2019-09-03 according to this page)

[KrasnayaPloshchad]

Firefox 69 is released.