Page MenuHomePhabricator
Create Task
Maniphest T179113

Endpoints that 404 no longer have the "Access-Control-Allow-Origin" header
Closed, DuplicatePublic
Actions

Description

As of the past week or so, I've gotten multiple reports of Pageviews Analysis failing. I looked into it and it seems 404s returned by the API are now missing the "Access-Control-Allow-Origin" header. Normally Pageviews Analysis handles 404s gracefully, and just says "no data found". However now the request as a whole is being blocked by the browser, so the whole thing is erroring out. I can add a fix for this, but I assume this is some sort of bug or regression in the API?

Related Objects

Event Timeline

MusikAnimal created this task.Oct 26 2017, 8:11 PM
Restricted Application added a project: Analytics. · View Herald TranscriptOct 26 2017, 8:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
MusikAnimal renamed this task from Endpoints that 404 no longer have "Access-Control-Allow-Origin" header to Endpoints that 404 no longer have the "Access-Control-Allow-Origin" header.Oct 26 2017, 8:11 PM
MusikAnimal mentioned this in T175254: Userviews/Massviews halts if PageViews API fails.
MusikAnimal updated the task description. (Show Details)Oct 26 2017, 8:15 PM
MusikAnimal updated the task description. (Show Details)Oct 27 2017, 3:30 PM
Fuzzy subscribed.Oct 27 2017, 7:52 PM
Ottomata assigned this task to Milimetric.Oct 30 2017, 3:38 PM
Ottomata triaged this task as Medium priority.
Ottomata edited projects, added Analytics-Kanban; removed Analytics.
Milimetric moved this task from Next Up to In Progress on the Analytics-Kanban board.Oct 31 2017, 2:25 PM
Milimetric added a comment.EditedOct 31 2017, 2:43 PM

Verified that @MusikAnimal is right, the 404 responses no longer include a bunch of headers, including:

access-control-allow-methods:GET,HEAD
access-control-allow-origin:*
access-control-expose-headers:etag

And I do find these in the 200 responses. Looking into why this might be, I'll check out the changes to what's in front of AQS.

Example requests showing the problem:

https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Cat/daily/2017101000/2017103000
https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Catafragilisticexpialidocious/daily/2017101000/2017103000

Pchelolo added a project: Services (watching).Nov 1 2017, 5:24 PM
Pchelolo subscribed.
Nuria moved this task from In Progress to Paused on the Analytics-Kanban board.Nov 30 2017, 4:11 PM
Milimetric moved this task from Paused to In Progress on the Analytics-Kanban board.Dec 5 2017, 3:34 PM
Milimetric added a comment.Dec 5 2017, 3:52 PM

@Pchelolo I'm looking at this again. To recap, the CORS headers were being added by hyperswitch but this belonged in restbase so it was moved by this pull: https://github.com/wikimedia/hyperswitch/pull/60/files.

And now, restbase sets up this filter: https://github.com/wikimedia/restbase/blob/master/lib/security_response_header_filter.js and this gets configured like this https://github.com/wikimedia/restbase/search?utf8=%E2%9C%93&q=security_response_header_filter&type=

So I don't understand how the CORS headers are only added on 200 responses, but not on 404 responses. If this is happening to AQS, I would assume it's happening to everything behind restbase, no?

Pchelolo added a comment.Dec 6 2017, 7:37 PM

@Milimetric sorry for late response. Seems like it's a bug in RESTBase and it's happening for all the services behind it. See T182103

I will look into that ASAP

Milimetric added a subscriber: Nuria.Dec 6 2017, 7:41 PM

@Nuria I'm going to mark this done from our side, and when you close it, if you remember, just merge it into T182103 as a duplicate. Thank you.

Milimetric moved this task from In Progress to Done on the Analytics-Kanban board.Dec 6 2017, 7:41 PM
Milimetric added a comment.Dec 7 2017, 4:04 PM

Verified - everything has CORS now, thanks to @MusikAnimal for the report.

Pchelolo closed this task as Resolved.Dec 7 2017, 4:07 PM

Indeed thanks to @MusikAnimal. Resolving.

mobrovac closed this task as a duplicate of T182103: 404 responses do not specify CORS headers.Dec 7 2017, 4:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL