v2: CORS issues when reducing permissions

Question

v2: CORS issues when reducing permissions

Cimbali opened this issue 2 years ago · 1 comments

As seen in #100, but also happens when trying to render gitlab pages, the combination of (1) an extension page and (2) not having full host privileges, can cause the extension page to fail to fetch the markdown:

E.g. opening ext+view-markdown:https://gitlab.com/gitlab-org/gitlab-foss/-/raw/master/doc/install/requirements.md
This causes the following error, followed by a link to this docs page:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gitlab.com/gitlab-org/gitlab-foss/-/raw/master/doc/install/requirements.md. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

Here are the headers for that page:

https://gitlab.com/gitlab-org/gitlab-foss/-/raw/master/doc/install/requirements.md
Host: gitlab.com
User-Agent: <user agent>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: <cookie>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
GET: HTTP/2.0 304 Not Modified
date: Sun, 29 Jan 2023 18:29:16 GMT
cache-control: max-age=60, public, must-revalidate, stale-while-revalidate=60, stale-if-error=300, s-maxage=60
content-disposition: inline
content-security-policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/ https://gitlab.com/-/speedscope/index.html https://gitlab.com/-/sandbox/ https://gitlab.com/assets/ blob: data:; connect-src 'self' https://gitlab.com wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net https://sourcegraph.com snowplow.trx.gitlab.net; default-src 'self'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-cloudresourcemanager.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://*.codesandbox.io https://customers.gitlab.com https://*.zuora.com/apps/PublicHostedPageLite.do; img-src * data: blob:; manifest-src 'self'; media-src 'self' data: http: https:; object-src 'none'; report-uri https://sentry.gitlab.net/api/105/security/?sentry_key=a42ea3adc19140d9a6424906e12fba86; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com https://*.zuora.com/apps/PublicHostedPageLite.do 'nonce-TkcXd3d4quEYg7ChmKQ4IQ=='; style-src 'self' 'unsafe-inline'; worker-src https://gitlab.com blob: data:; form-action 'self' https: http: http:
etag: "<hash>"
permissions-policy: interest-cohort=()
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-request-id: <hash>
x-runtime: 0.131158
x-ua-compatible: IE=edge
x-xss-protection: 1; mode=block
gitlab-lb: fe-30-lb-gprd
gitlab-sv: web-gke-us-east1-b
cf-cache-status: HIT
age: 12
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Bnt6muaiTZWkJxndIP82FcM3OHoClJbIxFkbqt4xDBLtDpYHwSJMZExV5kgOjcZyibqewwlP168MYXZNukFfGF3lcMe9vzgK1BjB3vMvSdY%2Fo%2FeD1ggNWgjGif5Qn1s2Zlohc8J2nGw%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
strict-transport-security: max-age=31536000
server: cloudflare
cf-ray: 791408493bf9dcbb-LHR
X-Firefox-Spdy: h2

This doesn’t happen when keeping all permissions, or when injecting into the page (i.e. without redirecting to an extension page) from the navigation bar button, because in both cases we have host permissions.

Answer 1 · 2023-01-29T18:54:06.000Z

Possible solutions could be:

abandon either one of the 2 improvements (at least by default)
dynamically ask users for permissions (or for in-page injection), on select hosts (with maybe an option to allow on all hosts too?)

On the page that shows the message error, we could say the error is likely due to CORS, and offer buttons for:
1. inject into the page for this domain
2. inject into the page for all domains (effectively disabling the extension page by default)
3. temporarily give host permissions for this domain (here gitlab.com)
4. permanently give host permissions for this domain (here gitlab.com)
5. permanently give host permissions for all domains