Cross-Origin Read Blocking warning with at least Chrome 73 & Firefox 66

[mbabker]

Error trace similar to this:

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://appscdn.joomla.org/webapps/index.php?format=json&option=com_apps&view=dashboard&product=Sm9vbWxhIQ==&release=My45&dev_level=NA==&list=grid&pv=Mi4wLjA= with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.
send @ jquery.min.js?c8aac89f3316b44667cff50199517fb5:2
ajax @ jquery.min.js?c8aac89f3316b44667cff50199517fb5:2
Joomla.loadweb @ client.min.js?c8aac89f3316b44667cff50199517fb5:1
Joomla.apps.initialize @ client.min.js?c8aac89f3316b44667cff50199517fb5:1
(anonymous) @ index.php?option=com_installer:441
dispatch @ jquery.min.js?c8aac89f3316b44667cff50199517fb5:2
v.handle @ jquery.min.js?c8aac89f3316b44667cff50199517fb5:2
jquery.min.js?c8aac89f3316b44667cff50199517fb5:2

https://www.chromestatus.com/feature/5629709824032768
https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

[anibalsanchez]

I've been able to reproduce it, but in my case the issue seems to be relates to https/http mixed content:

jquery.min.js?a37e3339bc56a48bacd13f943f521d9c:2 Mixed Content: The page at 'https://.../administrator/index.php?option=com_installer' was loaded over HTTPS, but requested an insecure script 'http://appscdn.joomla.org/webapps/index.php?format=json&option=com_apps&view=dashboard&product=Sm9vbWxhIQ==&release=My45&dev_level=NA==&list=grid&pv=MS4wLjU=&callback=jedapps_jsonpcallback'. This request has been blocked; the content must be served over HTTPS.

[mbabker]

If you’re getting HTTP (no S) then check to make sure the plugin isn’t modified (or is actually up-to-date). The constant in the class is hardcoded for HTTPS and I have no HTTP fallbacks.

On Thu, Apr 4, 2019 at 11:43 AM Anibal Sanchez ***@***.***> wrote: I've been able to reproduce it, but in my case the issue seems to be relates to https/http mixed content: jquery.min.js?a37e3339bc56a48bacd13f943f521d9c:2 Mixed Content: The page at 'https://.../administrator/index.php?option=com_installer' was loaded over HTTPS, but requested an insecure script 'http://appscdn.joomla.org/webapps/index.php?format=json&option=com_apps&view=dashboard&product=Sm9vbWxhIQ==&release=My45&dev_level=NA==&list=grid&pv=MS4wLjU=&callback=jedapps_jsonpcallback'. This request has been blocked; the content must be served over HTTPS. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#56 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAWfoYo-p7rU9_l_uisbGZab1IkYUSOsks5vdiuwgaJpZM4cc9KG> .

-- - Michael Please pardon any errors, this message was sent from my iPhone.

[toivo]

Just confirming that the URL in the request for the Install from Web dashboard works all right in Chrome v72.0.3626.121 and fails with two CORB messages in Firefox v66.0.2 but there is no report about mixed content:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://appscdn.joomla.org/webapps/index.php?format=json&option=com_apps&view=dashboard&product=Sm9vbWxhIQ==&release=My45&dev_level=NA==&list=grid&pv=Mi4wLjA=. (Reason: missing token ‘x-csrf-token’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://appscdn.joomla.org/webapps/index.php?format=json&option=com_apps&view=dashboard&product=Sm9vbWxhIQ==&release=My45&dev_level=NA==&list=grid&pv=Mi4wLjA=. (Reason: CORS request did not succeed)

[mbabker]

I keep seeing OPTIONS requests in my network tab on Chrome's dev tools, nothing in the plugin should be executing that type of request, only GET. Maybe it's that OPTIONS request that's triggering the cross-origin problems?

[toivo]

Sorry, just realised that the issue was reported in Chrome v73 and I am using v72. Will test asap on the latest version.

[mbabker]

There were some changes in Chrome 73 around CORB so that's probably why you're not seeing it in 72 (I had to update from 72 to 73 last week because a client had gotten bitten by a bug introduced in 73, that was soooooooo fun).

[mbabker]

@Webdongle and @webmaster-cepr pinging you in here too.

For anyone having this issue, if you change the REMOTE_URL constant in the 2.0 release or the $appsBaseUrl variable in the 1.x versions to http://appsserver.joomla.org/live/ (which bypasses the CDN), do you still have problems? I tried that on one site and I went from having an OPTIONS request blocked to a successful GET request and IFW showing up correctly. That could be an indicator there's some issue with the proxy between the CDN and the server it sits in front of.

I also changed the server's Access-Control-Allow-Methods header from GET to * and that didn't seem to help matters any.

For the record, all of this is going to be something independent of the updated plugin release. It just so happens the update is drawing attention to the plugin and the browser issue.

@zero-24 as you seem to be familiar with CORS and CSP and all that fun jazz, anything I'm missing here or any ideas?

[toivo]

I have confirmed that Chrome v73 works all right, and Microsoft Edge also displays the dashboard. Firefox and Internet Explorer give the Joomla connection error from the AJAX call.

[Webdongle]

@mbabker
..plugins\installer\webinstaller\webinstaller.php changed https://appscdn.joomla.org/webapps/ to http://appsserver.joomla.org/live/
No Avail. Still same error

Could the problem be with ff certificates?

[webmaster-cepr]

I have confirmed that Chrome v73 works all right, and Microsoft Edge also displays the dashboard. Firefox and Internet Explorer give the Joomla connection error from the AJAX call.

I also have confirmed changing REMOTE_URL works in Chrome v73 but still throws an error in Firefox v66.

[mbabker]

No Avail. Still same error

Could the problem be with ff certificates?

Were you testing on a HTTP site or HTTPS, because if it was the latter then things won't work. Mixed content. It worked where I was testing it because it's not a HTTPS backend.

Either way I think we've got the issue boiled down to browser security updates. So, we'll need to do some digging around and see how to either fix the server to keep things working or adjust the plugin to make connections work with the newer security features.

[Webdongle]

I tested on wamp localhost http://localhost/j393/administrator/ j3.9.3 updated to j3.9.4

[toivo]

I tested with Joomla 3.9.4 on wamp localhost first and then on remote site that has an SSL certificate. Same results with the same browsers.

[felixkat]

Had an issue on Joomla 3.9.4 after updating Install from Web 2.0.

The error was "Can't connect to the Joomla! server. Please try again later. "

I fixed the issue by changing dataType: 'json', to dataType: 'jsonp',

\media\js\client.js - Line 57

Not sure if this is related.....

[Webdongle]

Could that be a security risk ?

[mbabker]

Apparently something changed between when I pushed 85f87e9 and now because I was trying to break away from needing jsonp support but apparently that's not happening. Update coming shortly.

[mbabker]

https://downloads.joomla.org/extensions/install-from-web/2-0-1

[Webdongle]

Test Joomla found the update. Have installed and now works. Thanks @mbabker for taking me seriously this time

[chris001]

The newest "Install From Web plugin v 2.0.1" fails

• J3.9.14,
• Firefox 73.0b1 (latest).
• Error message in browser: Can't connect to the Joomla! server. Please try again later.
• Console error message:

Loading failed for the <script> with source “https://appscdn.joomla.org/webapps/index.php?format=json&opt…el=MTQ=&list=grid&pv=Mi4wLjE=&callback=jedapps_jsonpcallback”. index.php:1:1

[richard67]

@chris001 Maybe you should open a new issue for that. Not sure if some of the maintainers will react on a comment to a closed issue.