Coala Online is broken due to CORS

[joeytwiddle]

https://coala.io/#/coalaonline does not work due to the SOP security restrictions in browsers. This is bad for Coala marketing and therefore adoption!

# Chrome console:
Failed to load https://api.gitmate.io/coala_online/: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://coala.io' is therefore not allowed access. The response had HTTP status code 504.

# Firefox console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.gitmate.io/coala_online/. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

We can use CORS to get past these restrictions. (MDN, Wikipedia)

To do that, we must add some HTTP headers to the response provided from api.gitmate.io

Where is the code for that API server? (Is it here?)

[hemangsk]

Its here https://gitlab.com/gitmate/open-source/gitmate-2/

[joeytwiddle]

Thank you. I have posted an issue to that project: https://gitlab.com/gitmate/open-source/gitmate-2/issues/392

[Ishaan28malik]

can i solve this issue please assign me this one .

[Mryashbhardwaj]

the UI is not responding to the 200 response codes too. I tried replicating the issue, but couldn't get CORS failers.

[joeytwiddle]

I took a look at the network requests a few weeks ago. They were different from when I reported this bug.

I think that something else is going wrong now! (The CORS issue might be fixed, not sure.)

[ryanleonbutler]

I see this issue is still open, however I could not replicate the issue from my side. I see no CORS errors in the Console tab when using my Chrome Developer Tools. See screenshot:

Further to this, it seems this asset is no longer available: https://api.gitmate.io/coala_online

Just for clarity purposes, CORS has two types of requests, simple and complex. With reference to the former, you will note if the Origin header is present in the request, a successful request is made and the relevant CORS headers are returned in the response, for example:

$ curl -X GET -vLo /dev/null https://coala.io/#/coalaonline -H "Origin: coala.io"

... < HTTP/2 200 < access-control-allow-origin: * ...

However, should we simulate a complex CORS request (when making PUT request), the browser actually makes a pre-flight request, using the OPTIONS HTTP method. If the correct headers are returned in the response for the pre-flight request, then the actual HTTP request is made, for example:

Simulated pre-flight check from the browser, using the OPTIONS method: $ curl -X OPTIONS -vLo /dev/null https://coala.io/#/coalaonline -H "Origin: coala.io"

... < HTTP/2 405 < access-control-allow-origin: * ...

You will note this time I get a 405 because the OPTIONS method is not allowed for this website, https://coala.io/#/coalaonline.

With the above in mind, it is possible that some website assets on this page at that time were performing complex CORS requests and the destination host (https://api.gitmate.io/coala_online), serving the CORS request, the pre-flight check from the browser failed. The other possibility is that the host that is serving assets for any CORS requests, simply does not have a CORS policy configured or is too restrictive.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Just my two cents :)

I presume we can close this issue then?

[joeytwiddle]

I don't think it makes sense to close the issue, because Coala Online is still not working.

Thanks for your examples @ryanleonbutler, although I think they should be targetting https://api.gitmate.io/coala_online/ since that is the API request that is failing.

But as you say, api.gitmate.io is offline at the moment. That's why we don't see any CORS error.

So the task now is to get api.gitmate.io restored, or something equivalent to it.