search

Igalia / wolvic

A fast and secure browser for standalone virtual-reality and augmented-reality headsets.
https://wolvic.org
Mozilla Public License 2.0
802 stars 102 forks source link

CORS errors on same origin inconsistent with other browsers (Same Origin Policy) #1097

Open bbohlender opened 11 months ago

bbohlender commented 11 months ago

Configuration

Wolvic version: 1.5.1 Wolvic build ID: 220

Hardware: Quest 3 (1.5.1), Lynx R1 (1.4.1)

Steps to Reproduce

  1. Open this codesandbox: https://codesandbox.io/s/natuerlich-placing-objects-3q74pk?file=/src/app.tsx

Current Behavior

CORS errors cause the sandbox to not load required dependencies making the code in the sandbox not execute.

Expected Behavior

The CORS errors shouldn't occur because all failing requests are going to the same origin as the website the user is currently on "codesandbox.io".

Error Logs and Stack Traces

Error trace in the developer console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://codesandbox.io/static/js/vendors~app~sandbox.2af357fad.chunk.js. (Reason: CORS request did not succeed). Status code: (null).
<details open>
EloiStree commented 11 months ago

As propose to Bela, you can ping me on the Lynx Discord if you need a Lynx R1 to make test on the topic: https://discord.gg/mRkY22SMtv Ping tag: @EloiStree

In hope to help.

HollowMan6 commented 11 months ago

Looks like it's caused by the User-Agent string, switching to Desktop mode fixes this issue, although I get a slow script warning and it actually takes a lot of time to get everything loaded.

PR #1012 allows setting desktop mode as the default and it can help mitigate the issue a little bit.

image

image

HollowMan6 commented 11 months ago

Related issue https://github.com/Igalia/wolvic/issues/498#issuecomment-1444834946

svillar commented 11 months ago

If it's an UA issue then the fix is just to add another UA override for that page.

HollowMan6 commented 11 months ago

The problem gets more interesting here. Looks like it's not because of the purely UA issue, as I added a new entry to https://github.com/Igalia/wolvic/blob/main/app/src/main/assets/desktopModeOverrides.json: "642595a3b6ae3bfc06de1c8b88f8ced91c5f4b60b48282bbce7d433d03eaf512715f17c5e1e592e283bca0437ff5ba441275c735ae49cbe26c8565e63d36f6be": "CodeSandbox.io" Then it's still the same cors error although I can see the website starts loading with desktop mode by default.

So looks like it's fixable only after the user manually switches the UA mode, unrelated to what kind of UA the user is currently in.

HollowMan6 commented 11 months ago

Upgrade to the latest gecko version still doesn't fix this issue, and I can't reproduce the issue on Firefox Android as well...

Now finally I find out what's going on here. It's caused by the cache again, just like #353 ... Maybe we should really introduce some mechanism to bypass cache for some specific website, just like what we have for UA. (update: Looks like we can't control the geckoview behavior if we want to bypass some specific pages)

svillar commented 11 months ago

Upgrade to the latest gecko version still doesn't fix this issue, and I can't reproduce the issue on Firefox Android as well...

Now finally I find out what's going on here. It's caused by the cache again, just like #353 ... Maybe we should really introduce some mechanism to bypass cache for some specific website, just like what we have for UA. (update: Looks like we can't control the geckoview behavior if we want to bypass some specific pages)

Hmm how can the http cache cause this? I don't get that. Also how is it different to what FF android does? there should be none...

HollowMan6 commented 11 months ago

Hmm how can the http cache cause this? I don't get that. Also how is it different to what FF android does? there should be none...

I don't know ... It's weird enough that we have #353 already and it's not reproducible in Firefox Android either ... I guess something nasty must have happened in our code base that abuses the cache somehow, although I still can't find that out. Anyway, I think a temporary workaround is that we can create a list of websites just like what we do for UA override, and reload the page with the no-cache flag when we try to load the page.

svillar commented 11 months ago

Cannot reproduce it anymore using 1.5.1. Could you confirm?

HollowMan6 commented 11 months ago

Cannot reproduce it anymore using 1.5.1. Could you confirm?

It's still reproducible at least on my side. I guess it's because it's your first load and the cache already expired, you can reload the page (remember to disable "bypass cache on reload" in settings) when you find the page works, and then you can reproduce it again.

javifernandez commented 7 months ago

Trying with Wolvic 1.6 on Quest2; the CORS errors I'm getting are different to the ones originally reported:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdn.jsdelivr.net/npm/react@18.2.0/jsx-runtime.js. (Reason: CORS request did not succeed). Status code: (null).

javifernandez commented 7 months ago

Trying with Wolvic 1.6 on Quest2; the CORS errors I'm getting are different to the ones originally reported:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdn.jsdelivr.net/npm/react@18.2.0/jsx-runtime.js. (Reason: CORS request did not succeed). Status code: (null).

Subsequent trials lead to the CORS report originally reported:

W [JavaScript Warning: " Githubissues.

  • Githubissues is a development platform for aggregating issues.