CORS Error in Firefox

Hi folks,

Today i upgraded xwiki 13.10.5 to 14.10.2. During the process i had to switch over to tomcat9 with openjdk-11.
Now i have several problems (in different topic).
On problem is the CORS Error i get if i want to update extensions.

Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf https://xwiki01.virt.contoso.de/xwiki/bin/get/XWiki/ExtensionUpdater?extensionSection=progress&extensionId=org.xwiki.contrib.editortool%3Aeditor-tool-highlighting-ui&extensionVersion=4.6.1&extensionNamespace=&xback=%2Fxwiki%2Fbin%2Fget%2FXWiki%2FExtensionUpdater%3Fsection%3DXWiki.ExtensionUpdater&section=XWiki.ExtensionUpdater. (Grund: CORS-Anfrage schlug fehl). Statuscode: (null).

Similar i get a error in the red bar “Server not responding”. I already modified the web.xml without any luck.

I use a nginx-reverse proxy config

location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Scheme $scheme;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://127.0.0.1:8080;
            break;
        }
   }

await fetch("https://xwiki01.virt.consoto.de/xwiki/bin/get/XWiki/ExtensionUpdater?extensionSection=progress&extensionId=org.xwiki.contrib.ldap%3Aldap-ui&extensionVersion=9.7.8&extensionNamespace=&xback=%2Fxwiki%2Fbin%2Fget%2FXWiki%2FExtensionUpdater%3Fsection%3DXWiki.ExtensionUpdater&section=XWiki.ExtensionUpdater", {
    "credentials": "omit",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
        "Accept": "text/javascript, text/html, application/xml, text/xml, */*",
        "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
        "X-Requested-With": "XMLHttpRequest",
        "X-Prototype-Version": "1.7.3",
        "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    },
    "method": "GET",
    "mode": "cors"
});

Could somebody help me ?

What’s the actual URL of your wiki (vs. the one used by the extension manager)? I haven’t checked the code but I would be surprised if the extension manager would actually (intentionally) use cross-origin requests. My first guess would thus be that there is a problem with the configuration such that somehow the wrong host is used.

It seems xWiki switches between http and https. The FQDN is the same

Gemischte (unsichere) aktive Inhalte von "http://xwiki01.virt.contoso.de/xwiki/bin/get/XWiki/ExtensionUpdater?extensionSection=progress&extensionId=org.xwiki.contrib.ldap%3Aldap-ui&extensionVersion=9.7.8&extensionNamespace=&xback=%2Fxwiki%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DXWiki.ExtensionUpdater&section=XWiki.ExtensionUpdater" werden auf einer sicheren Seite geladen

Gemischte (unsichere) aktive Inhalte von "http://xwiki01.virt.contoso.de/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=CE42EECEB44ED628F2F39FAB58DB5B4E?srid=cLXPZles&xredirect=%2Fxwiki%2Fbin%2Fget%2FXWiki%2FExtensionUpdater%3FextensionSection%3Dprogress%26extensionId%3Dorg.xwiki.contrib.ldap%253Aldap-ui%26extensionVersion%3D9.7.8%26extensionNamespace%3D%26xback%3D%252Fxwiki%252Fbin%252Fadmin%252FXWiki%252FXWikiPreferences%253Feditor%253Dglobaladmin%2526section%253DXWiki.ExtensionUpdater%26section%3DXWiki.ExtensionUpdater%26srid%3DcLXPZles" werden auf einer sicheren Seite geladen

Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf https://xwiki01.virt.contoso.de/xwiki/bin/get/XWiki/ExtensionUpdater?extensionSection=progress&extensionId=org.xwiki.contrib.ldap%3Aldap-ui&extensionVersion=9.7.8&extensionNamespace=&xback=%2Fxwiki%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DXWiki.ExtensionUpdater&section=XWiki.ExtensionUpdater. (Grund: Externe Weiterleitung der CORS-Anfrage verboten).

Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf https://xwiki01.virt.contoso.de/xwiki/bin/get/XWiki/ExtensionUpdater?extensionSection=progress&extensionId=org.xwiki.contrib.ldap%3Aldap-ui&extensionVersion=9.7.8&extensionNamespace=&xback=%2Fxwiki%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DXWiki.ExtensionUpdater&section=XWiki.ExtensionUpdater. (Grund: CORS-Anfrage schlug fehl). Statuscode: (null).

Could you try forcing XWiki to generate https URLs? My understanding is that this should be possible by enabling the “secure” option in the wiki descriptor(s) that you can access using the wiki manager (click on “wiki index” in the drawer and then the edit link of the wiki). If it doesn’t work, you can also try the xwiki.url.protocol option in xwiki.cfg.

My understanding of these messages is that the extension manager is requesting a resource using http, which again triggers a redirect to the login page (as the cookies are probably invalid) which possibly triggers a redirect to an external site, that’s probably where the CORS error comes from.

I set the attribute “Secure SSL” to yes in the wiki properties. No luck. These are the settings in the xwiki.cfg

#-# The domain name to use when creating URLs to the default wiki. If set, the generated URLs will point to this server
#-# instead of the requested one. It should contain schema, domain and (optional) port, and the trailing /. For example:
#-# xwiki.home=http://www.xwiki.org/
#-# xwiki.home=http://wiki.mycompany.net:8080/
# xwiki.home=

#-# The name of the default URL factory that should be used.
# xwiki.urlfactory.serviceclass=com.xpn.xwiki.web.XWikiURLFactoryServiceImpl

#-# The default protocol to use when generating an external URL. Can be overwritten in the wiki descriptor ("secure" property).
#-# If not set, the following is used:
#-#   * during client request for the current wiki: the protocol from the URL used by the client
#-#   * for a different wiki or during background tasks (mails, etc.): information come from the wiki descriptor (also fallback on main wiki)
#-# For example:
#-# xwiki.url.protocol=https
xwiki.url.protocol=https
#-# The name of the webapp to use in the generated URLs. If not specified, the value is extracted from the request URL
#-# and thus it's generally not required to set it. However if you're deploying XWiki as ROOT in your Servlet Container
#-# and you're using XWiki 6.2.8+/6.4.3+/7.0+ you must set it to an empty value as otherwise the code cannot guess it.
#-# Note that not setting this property seemed to work on previous versions when deploying as ROOT but it was actually
#-# leading to errors from time to time, depending on what URL was used when doing the first request on the XWiki
#-# instance.
#-# For example:
#-# xwiki.webapppath=xwiki
xwiki.webapppath=xwiki
#-# The default servlet mapping name to use in the generated URLs. The right value is taken from the request URL,
#-# preserving the requested servlet mapping, so setting this is not recommended in most cases. If set, the value should
#-# contain a trailing /, but not a leading one. For example:
#-# xwiki.servletpath=bin/
# xwiki.servletpath=
#-# Whether the /view/ part of the URL should be included if the target action is 'view'.
# xwiki.showviewaction=1
#-# The name of the default space. This is displayed when the URL specifies a document, but not a space, or neither.
# xwiki.defaultweb=Main
#-# The name of the default page of a space. This is displayed when the URL specifies a space, but not a document, or
#-# neither.
# xwiki.defaultpage=WebHome
#-# Hide the /WebHome part of the URL when the document is the default one. Use 0 to hide, 1 to show.
# xwiki.usedefaultaction=0

#-# [Since 4.0RC1]
#-# Indicate if the URL used in HTTPSevlet#sendRedirect should be made absolute by XWiki or left to application server.
#-# Sending absolute URLs is a bad practice and generally not needed. This option is mostly here as retro-compatibility
#-# switch and you should always make sure to properly configure your application server or any proxy behind it before
#-# using this.
#-# 0: send relative URLs (the default)
#-# 1: send absolute URLs
# xwiki.redirect.absoluteurl=0

Please also try setting xwiki.home to the URL of your XWiki installation, i.e., http://xwiki01.virt.contoso.de/. In theory all of this shouldn’t be necessary and I’ve had a short look at the code and it should do the right thing. There is one source of error which is if the very first request to the wiki is not through the reverse proxy or with a different protocol, as, from what I understand, the URL from the first request is stored.

i will try

now i get CORS errors even at editing wiki pages

Gemischte (unsichere) aktive Inhalte von “http://xwiki01.virt.contoso.de/xwiki/wiki/datacenter/lock/Main/WebHome?ajax=1&action=edit&language=de” werden auf einer sicheren Seite geladen

Gemischte (unsichere) aktive Inhalte von “http://xwiki01.virt.contoso.de/xwiki/wiki/datacenter/login/XWiki/XWikiLogin;jsessionid=2772713EA1941E86263BB025C5055750?srid=2Nf7rbLg&xredirect=%2Fxwiki%2Fwiki%2Fdatacenter%2Flock%2FMain%2FWebHome%3Fajax%3D1%26action%3Dedit%26language%3Dde%26srid%3D2Nf7rbLg” werden auf einer sicheren Seite geladen

Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf https://xwiki01.virt.contoso.de/xwiki/wiki/datacenter/lock/Main/WebHome?ajax=1&action=edit&language=de. (Grund: Externe Weiterleitung der CORS-Anfrage verboten).

Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf https://xwiki01.virt.contoso.de/xwiki/wiki/datacenter/lock/Main/WebHome?ajax=1&action=edit&language=de. (Grund: CORS-Anfrage schlug fehl). Statuscode: (null).

I think I made an error, you need to set https://xwiki01.virt.contoso.de/ of course, not http://xwiki01.virt.contoso.de/, sorry.

I get theese error before i modified the xwiki.home attribute.

even with the new attribute i get this errors

I may found the problem. It was within the NGINX config.

i added the following parameters from here
https://gist.github.com/Stanback/7145487?permalink_comment_id=2824437#gistcomment-2824437

at the moment i check my environment

These requests really shouldn’t be cross-origin requests as long as you have one wiki on one domain.