Page MenuHomePhabricator
Create Task
Maniphest T182103

404 responses do not specify CORS headers
Closed, ResolvedPublic
Actions

Description

All responses from RESTBase, even errors, should include Cross-Origin Resource Sharing headers so that unprivileged clients, such as browsers, can examine the responses. Currently cross-origin headers are set for successful responses but 404s do not specify any which, in the case of the browser Fetch API, causes them to appear as TypeErrors with little detail. See below in Chromium and Firefox (note the different URLs!):

OK

$ fetch('https://appservice.wmflabs.org/en.wikipedia.org/v1/page/mobile-sections/Nonexistent_title').then(console.log)
Response {type: "cors", url: "https://appservice.wmflabs.org/en.wikipedia.org/v1/page/mobile-sections/Nonexistent_title", redirected: false, status: 404, ok: false, …}

// Headers...
access-control-allow-headers:accept, x-requested-with, content-type
access-control-allow-origin:*
access-control-expose-headers:etag
content-encoding:gzip
content-security-policy:default-src 'self'; object-src 'none'; media-src *; img-src *; style-src *; frame-ancestors 'self'
content-type:application/json; charset=utf-8
date:Tue, 05 Dec 2017 14:59:53 GMT
server:nginx/1.13.6
status:404
vary:Accept-Encoding
x-content-security-policy:default-src 'self'; object-src 'none'; media-src *; img-src *; style-src *; frame-ancestors 'self'
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-webkit-csp:default-src 'self'; object-src 'none'; media-src *; img-src *; style-src *; frame-ancestors 'self'
x-xss-protection:1; mode=block

Missing CORS headers

$ fetch('https://en.wikipedia.org/api/rest_v1/page/mobile-sections/Nonexistent_title').then(console.log)
Uncaught (in promise) TypeError: Failed to fetch
GET https://en.wikipedia.org/api/rest_v1/page/mobile-sections/Nonexistent_title net::ERR_FAILED

// Headers...
age:0
cache-control:private, max-age=0, s-maxage=0, must-revalidate
content-encoding:gzip
content-length:170
content-location:https://en.wikipedia.org/api/rest_v1/page/mobile-sections/Nonexistent_title
content-type:application/problem+json
date:Tue, 05 Dec 2017 15:00:21 GMT
server:restbase1017
set-cookie:WMF-Last-Access-Global=05-Dec-2017;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Sat, 06 Jan 2018 12:00:00 GMT
set-cookie:GeoIP=US:TN:Cordova:35.14:-89.77:v4; Path=/; secure; Domain=.wikipedia.org
set-cookie:WMF-Last-Access=05-Dec-2017;Path=/;HttpOnly;secure;Expires=Sat, 06 Jan 2018 12:00:00 GMT
set-cookie:CP=H2; Path=/; secure
status:404
strict-transport-security:max-age=106384710; includeSubDomains; preload
vary:Accept-Encoding
via:1.1 varnish-v4, 1.1 varnish-v4
x-analytics:https=1;nocookies=1
x-cache:cp1053 pass, cp1068 pass
x-cache-status:pass
x-client-ip:73.252.38.252
x-request-id:0398e947-d9cd-11e7-86d1-e1c75b48fb7a
x-varnish:481340269, 768463128

Fixing this bug should include adding a few tests. Something like:

it('Should fetch CORS headers even for missing pages on mobile-sections', () => {
    return preq.get({
        uri: `${server.config.bucketURL}/mobile-sections/Nonexistent_title`
    })
    .catch((res) => {
        assert.deepEqual(res.status, 404);
        assert.deepEqual(res.headers['access-control-allow-origin'], "\\*");
    });
});

Related Objects
Search...

Event Timeline

Niedzielski created this task.Dec 5 2017, 3:14 PM
Restricted Application added a project: Product-Infrastructure-Team-Backlog-Deprecated. · View Herald TranscriptDec 5 2017, 3:14 PM
Niedzielski mentioned this in T181900: Visiting a missing page causes a server error.Dec 5 2017, 3:19 PM
bearND added a project: Services.Dec 5 2017, 3:43 PM

Adding Services for team visibility.

Niedzielski moved this task from Needs Triage to Backlog (Priority Descending) on the Marvin board.Dec 5 2017, 4:32 PM
Pchelolo mentioned this in T179113: Endpoints that 404 no longer have the "Access-Control-Allow-Origin" header.Dec 6 2017, 7:37 PM
mobrovac edited projects, added Services (next); removed Services.Dec 6 2017, 7:44 PM
mobrovac subscribed.

Huh, this is likely happening because adding CORS is now a filter operation in RESTBase, but they are not obeyed for 4xx and 5xx responses.

Pchelolo subscribed.Dec 6 2017, 7:49 PM

Filters are executed for errors as well, but we mistakenly were only adding headers under .then and not .catch

MusikAnimal subscribed.Dec 6 2017, 7:55 PM
Stashbot subscribed.Dec 7 2017, 11:05 AM

Mentioned in SAL (#wikimedia-operations) [2017-12-07T11:05:35Z] <mobrovac@tin> Started deploy [restbase/deploy@097ba7d]: Add CORS headers to erroneous responses as well - T182103

Stashbot added a comment.Dec 7 2017, 11:10 AM

Mentioned in SAL (#wikimedia-operations) [2017-12-07T11:10:59Z] <mobrovac@tin> Finished deploy [restbase/deploy@097ba7d]: Add CORS headers to erroneous responses as well - T182103 (duration: 05m 24s)

mobrovac closed this task as Resolved.Dec 7 2017, 11:26 AM
mobrovac reassigned this task from Niedzielski to Pchelolo.
mobrovac triaged this task as Medium priority.
mobrovac edited projects, added Services (done), RESTBase-API; removed Services (next).

The fix has been deployed and verified. All public REST API responses have the CORS headers set now.

Niedzielski added a comment.Dec 7 2017, 3:04 PM

Thank you!

mobrovac merged a task: T179113: Endpoints that 404 no longer have the "Access-Control-Allow-Origin" header.Dec 7 2017, 4:11 PM
mobrovac added subscribers: Milimetric, Nuria, Fuzzy, Aklapper.
Fuzzy mentioned this in T175254: Userviews/Massviews halts if PageViews API fails.Jul 24 2018, 10:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL