As of the past week or so, I've gotten multiple reports of Pageviews Analysis failing. I looked into it and it seems 404s returned by the API are now missing the "Access-Control-Allow-Origin" header. Normally Pageviews Analysis handles 404s gracefully, and just says "no data found". However now the request as a whole is being blocked by the browser, so the whole thing is erroring out. I can add a fix for this, but I assume this is some sort of bug or regression in the API?
Description
Related Objects
- Mentioned In
- T175254: Userviews/Massviews halts if PageViews API fails
- Mentioned Here
- T182103: 404 responses do not specify CORS headers
Event Timeline
Verified that @MusikAnimal is right, the 404 responses no longer include a bunch of headers, including:
access-control-allow-methods:GET,HEAD
access-control-allow-origin:*
access-control-expose-headers:etag
And I do find these in the 200 responses. Looking into why this might be, I'll check out the changes to what's in front of AQS.
Example requests showing the problem:
https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Cat/daily/2017101000/2017103000
https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Catafragilisticexpialidocious/daily/2017101000/2017103000
@Pchelolo I'm looking at this again. To recap, the CORS headers were being added by hyperswitch but this belonged in restbase so it was moved by this pull: https://github.com/wikimedia/hyperswitch/pull/60/files.
And now, restbase sets up this filter: https://github.com/wikimedia/restbase/blob/master/lib/security_response_header_filter.js and this gets configured like this https://github.com/wikimedia/restbase/search?utf8=%E2%9C%93&q=security_response_header_filter&type=
So I don't understand how the CORS headers are only added on 200 responses, but not on 404 responses. If this is happening to AQS, I would assume it's happening to everything behind restbase, no?
@Milimetric sorry for late response. Seems like it's a bug in RESTBase and it's happening for all the services behind it. See T182103
I will look into that ASAP