lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard

Published 20 hours ago verified publisher icon LemmyNet

[Bug]: "Origin is not allowed to make this request" despite `Access-Control-Allow-Origin: *`

Open NatoBoram opened this issue 1 year ago • 2 comments

Requirements

  • [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • [X] Did you check to see if this issue already exists?
  • [X] Is this only a single bug? Do not put multiple bugs in one issue.
  • [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

When making a GET request (ex https://lemmy.world/api/v3/site), if the origin is not the same as the hostname (lemmy.world), then we obtain an error.

Headers:

HTTP/2 400 Bad Request
server: nginx/1.18.0 (Ubuntu)
date: Tue, 04 Jul 2023 22:12:30 GMT
content-length: 42
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
access-control-allow-origin: *
access-control-allow-methods: GET, POST, PUT, OPTIONS
access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
access-control-expose-headers: Content-Length,Content-Range
X-Firefox-Spdy: h2

Body:

Origin is not allowed to make this request

As it stands, it's easy to make a client that works around this bug during SSR, but I'd like to deploy that on mobile devices or on static web servers like GitHub Pages.

Steps to Reproduce

  1. Press F12
  2. Click on "Console"
  3. Make a fetch request to some Lemmy instance
fetch("https://lemmy.world/api/v3/site")

Technical Details

N/A

Version

BE: 0.18.1-rc.4-11-gcf1c4dd7b

Lemmy Instance URL

lemmy.world

NatoBoram avatar Jul 04 '23 22:07 NatoBoram

Won't this be solved by #3421?

geneccx avatar Jul 05 '23 16:07 geneccx

@geneccx Correct, this is due to the default CORS implementation being quite restrictive.

This will be resolved once that PR is merged, which is currently undergoing review. A similar PR was already approved for inclusion, (https://github.com/LemmyNet/lemmy/pull/3408) but I closed it in favor of diamondburned's implementation which should be ready soon™.

Zetaphor avatar Jul 05 '23 20:07 Zetaphor

The problem appears to be that lemmy.world likely has an incorrectly configured CORS headers in their reverse proxy, hence why they are sending two Access-Control-Allow-Origin headers, which is not allowed by browsers.

I'm unable to reproduce this on my lemmy instance for example with:

fetch("https://feddit.rocks/api/v3/site")

FireMasterK avatar Jul 07 '23 22:07 FireMasterK

This issue is fixed, so I'll close it. Thanks to everyone who worked on #3421.

I'll slide a message to [email protected], I'm sure they'll fix it.

NatoBoram avatar Jul 07 '23 23:07 NatoBoram