[MV3] Firefox RPC access broken due to CORS
lidel opened this issue · 4 comments
Found during review of #1182
Something broke RPC API access in Firefox, requests get blocked by CORS, which suggests the Origin HTTP header override we do here no longer does its job and access to RPC port is not safelisted correctly.
My gut feeling is the cause is switching onBeforeRequest to async, but there could be other reason.
assigned to @whizzzkid
@whizzzkid one thing you could try is to register a separate, synchronous onBeforeRequest when runtime supports blocking webRequest (blocking means you can modify headers).
This way you don't need to undo all the async/await refactoring you did for MV3, but we still should be able to fixup the Origin header in Firefox.
ps. worst case, if we can't make it work, we need to be pragmatic, given the browser market share and the fact MV2 works just fine: if you see there is too much work to make it work, we could keep Firefox on MV2 for now (create mv2 branch from the last release).
@lidel well actually I did not face it (to begin with), upon further investigation, it's a bit more nuanced, the culprit is the new host_permisssions and how browsers cannot agree on how to treat these, hence different browsers treat these differently, firefox may treat these as optional, chrome treats this as required. Which means, this needs to be explicitly requested. This has changed since permissions: [ ..., "<all_urls>", ...] is no longer a thing.
Requesting permissions is also now a cumbersome process, the browser won't let us raise a request to grant perms from any script, it needs to explicitly come from a user-input action, which means we need to create an input event that explicitly calls the request and then we can do anything with those perms.
Creating: #1250