Page MenuHomePhabricator
Create Task
Maniphest T249107

CORS errors on commons on debug servers
Closed, ResolvedPublic
Actions

Description

Steps to reproduce

  • look at an File page on commons in chrome with the WikimediaDebug plugin turned on, and pointed at one of the debug servers
  • click on 'structured data' tab
  • click into the 'items portrayed in this file' input box and type a word
  • look in console - you'll see errors like this
Access to XMLHttpRequest at 'https://www.wikidata.org/w/api.php?action=wbsearchentities&format=json&origin=https%3A%2F%2Fcommons.wikimedia.org&centralauthtoken=5dda404d53fb823bc91d5a3fe132f46d327a41e&search=q&language=en&uselang=en&type=item' from origin 'https://commons.wikimedia.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This doesn't happen on production servers

Details

SubjectRepoBranchLines +/-
Whitelist X-Wikimedia-Debug header for cross-wiki API requestsoperations/mediawiki-configmaster+1 -0
Allow whitelisting custom headers in action API CORS logicmediawiki/coremaster+37 -17
Whitelist X-Wikimedia-Debug header for CORS media requestsoperations/puppetproduction+3 -2
Customize query in gerrit

Related Objects

Event Timeline

Cparle created this task.Apr 1 2020, 1:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 1 2020, 1:29 PM
RhinosF1 subscribed.Apr 1 2020, 1:30 PM
Reedy added projects: SRE, serviceops.Apr 1 2020, 1:30 PM
Tgr subscribed.EditedApr 1 2020, 2:55 PM

MediaViewer is also broken, due to a slightly different error:

Request header field x-wikimedia-debug is not allowed by Access-Control-Allow-Headers in preflight response.

To fix that, CORS preflight responses should have a Access-Control-Allow-Headers header with the value X-Wikimedia-Debug (it's a comma-separated list, if we are already whitelisting something else - I think the only case is Range headers for uploads), whenever the preflight request includes a Access-Control-Request-Headers header with that header name.

gerritbot added a comment.Apr 1 2020, 3:18 PM

Change 585252 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Whitelist X-Wikimedia-Debug header for CORS media requests

https://gerrit.wikimedia.org/r/585252

gerritbot added a project: Patch-For-Review.Apr 1 2020, 3:18 PM
ema triaged this task as Medium priority.Apr 2 2020, 9:00 AM
gerritbot added a comment.Apr 2 2020, 9:06 AM

Change 585252 merged by Ema:
[operations/puppet@production] Whitelist X-Wikimedia-Debug header for CORS media requests

https://gerrit.wikimedia.org/r/585252

Maintenance_bot removed a project: Patch-For-Review.Apr 2 2020, 9:11 AM
gerritbot added a comment.Apr 2 2020, 1:26 PM

Change 585491 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Whitelist X-Wikimedia-Debug header for API CORS

https://gerrit.wikimedia.org/r/585491

gerritbot added a project: Patch-For-Review.Apr 2 2020, 1:26 PM
Tgr added a project: MediaWiki-Action-API.Apr 2 2020, 2:31 PM
Restricted Application added a project: Platform Engineering. · View Herald TranscriptApr 2 2020, 2:31 PM
Anomie moved this task from Unsorted to Needs Review on the MediaWiki-Action-API board.Apr 2 2020, 3:00 PM
Anomie edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Engineering.
Anomie moved this task from External Code Review Needed to External Code Review In Progress on the Platform Team Workboards (External Code Reviews) board.
gerritbot added a comment.Apr 3 2020, 4:21 PM

Change 585779 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Whitelist X-Wikimedia-Debug header for cross-wiki API requests

https://gerrit.wikimedia.org/r/585779

gerritbot added a comment.Apr 3 2020, 9:18 PM

Change 585491 merged by jenkins-bot:
[mediawiki/core@master] Allow whitelisting custom headers in action API CORS logic

https://gerrit.wikimedia.org/r/585491

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.27; 2020-04-07).Apr 3 2020, 10:00 PM
gerritbot added a comment.Apr 6 2020, 11:05 AM

Change 585779 merged by jenkins-bot:
[operations/mediawiki-config@master] Whitelist X-Wikimedia-Debug header for cross-wiki API requests

https://gerrit.wikimedia.org/r/585779

Maintenance_bot removed a project: Patch-For-Review.Apr 6 2020, 11:10 AM
Stashbot added a comment.Apr 6 2020, 11:11 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-06T11:11:32Z] <awight@deploy1001> Synchronized wmf-config/CommonSettings.php: SWAT: [[gerrit:585779| Whitelist X-Wikimedia-Debug header for cross-wiki API requests (T249107)]] (duration: 00m 59s)

Anomie moved this task from External Code Review In Progress to External Code Review Completed on the Platform Team Workboards (External Code Reviews) board.Apr 6 2020, 1:30 PM
Tgr closed this task as Resolved.Apr 9 2020, 9:54 AM
Tgr claimed this task.

The error can't be reproduced on Commons anymore.

Tgr mentioned this in T252826: Whitelist x-wikimedia-debug header field (currently not allowed by Access-Control-Allow-Headers in preflight response).Jun 8 2020, 12:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL