ipfs · lidel · Nov 16, 2018 · Nov 16, 2018 · Nov 16, 2018
diff --git a/add-on/src/lib/ipfs-request.js b/add-on/src/lib/ipfs-request.js
@@ -22,6 +22,8 @@ const onHeadersReceivedRedirect = new Set()
 // API Details: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest
 function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, runtime) {
   const browser = runtime.browser
+  const runtimeRoot = browser.runtime.getURL('/')
+  const webExtensionOrigin = runtimeRoot ? new URL(runtimeRoot).origin : 'null'
 
   // Ignored requests are identified once and cached across all browser.webRequest hooks
   const ignoredRequests = new LRU({ max: 128, maxAge: 1000 * 30 })
@@ -114,6 +116,35 @@ function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, ru
       }
 
       if (request.url.startsWith(state.apiURLString)) {
+        // '403 - Forbidden' fix for Chrome and Firefox
+        // --------------------------------------------
+        // We remove Origin header from requests made to API URL
+        // by js-ipfs-api running in WebExtension context to remove need
+        // for manual whitelisting Access-Control-Allow-Origin at go-ipfs
+        // More info:
+        // Chrome: https://github.com/ipfs-shipyard/ipfs-companion/pull/616
+        // Firefox: https://github.com/ipfs-shipyard/ipfs-companion/issues/622
+        const isWebExtensionOrigin = (origin) => {
+          // Chromium
+          if (origin == null || origin === 'null') {
+            return true
+          }
+          // Firefox Nightly 65 sets moz-extension://{extension-installation-id}
+          if (origin && origin.startsWith('moz-extension://') && new URL(origin).origin === webExtensionOrigin) {
+            return true
+          }
+          return false
+        }
+        for (let i = 0; i < request.requestHeaders.length; i++) {
+          let header = request.requestHeaders[i]
+          if (header.name === 'Origin' && isWebExtensionOrigin(header.value)) {
+            request.requestHeaders.splice(i, 1)
+            break
+          }
+        }
+
+        // Fix "http: invalid Read on closed Body"
+        // ----------------------------------
         // There is a bug in go-ipfs related to keep-alive connections
         // that results in partial response for ipfs.files.add
         // mangled by error "http: invalid Read on closed Body"
@@ -150,16 +181,6 @@ function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, ru
             request.requestHeaders.push(expectHeader)
           }
         }
-        // For some reason js-ipfs-api sends requests with "Origin: null" under Chrome
-        // which produces '403 - Forbidden' error.
-        // This workaround removes bogus header from API requests
-        for (let i = 0; i < request.requestHeaders.length; i++) {
-          let header = request.requestHeaders[i]
-          if (header.name === 'Origin' && (header.value == null || header.value === 'null')) {
-            request.requestHeaders.splice(i, 1)
-            break
-          }
-        }
       }
       return {
         requestHeaders: request.requestHeaders

diff --git a/test/functional/lib/ipfs-request-workarounds.test.js b/test/functional/lib/ipfs-request-workarounds.test.js
@@ -1,7 +1,7 @@
 'use strict'
 const { describe, it, before, beforeEach, after } = require('mocha')
 const { expect } = require('chai')
-const { URL } = require('url')
+const { URL } = require('url') // URL implementation with support for .origin attribute
 const browser = require('sinon-chrome')
 const { initState } = require('../../../add-on/src/lib/state')
 const createRuntimeChecks = require('../../../add-on/src/lib/runtime-checks')
@@ -18,6 +18,7 @@ describe('modifyRequest processing', function () {
   before(function () {
     global.URL = URL
     global.browser = browser
+    browser.runtime.getURL.withArgs('/').returns('moz-extension://0f334731-19e3-42f8-85e2-03dbf50026df/')
   })
 
   beforeEach(async function () {
@@ -45,6 +46,20 @@ describe('modifyRequest processing', function () {
     })
   })
 
+  describe('a request to <apiURL>/api/v0/ with Origin=moz-extension://{extension-installation-id}', function () {
+    it('should remove Origin header ', function () {
+      const bogusOriginHeader = { name: 'Origin', value: 'moz-extension://0f334731-19e3-42f8-85e2-03dbf50026df' }
+      const request = {
+        requestHeaders: [ bogusOriginHeader ],
+        type: 'xmlhttprequest',
+        url: `${state.apiURLString}api/v0/id`
+      }
+      modifyRequest.onBeforeRequest(request) // executes before onBeforeSendHeaders, may mutate state
+      expect(modifyRequest.onBeforeSendHeaders(request).requestHeaders).to.not.include(bogusOriginHeader)
+      browser.runtime.getURL.flush()
+    })
+  })
+
   describe('a request to <apiURL>/api/v0/ with Origin=null', function () {
     it('should remove Origin header ', function () {
       const bogusOriginHeader = { name: 'Origin', value: 'null' }