search

decentraland / catalyst-owner

Everything necessary for catalyst owners to deploy their own node
Apache License 2.0
12 stars 27 forks source link

fix: Inter-catalyst connections blocked due to CORS #225

Open ProteanCoding opened 7 months ago

ProteanCoding commented 7 months ago

For fixing https://github.com/decentraland/catalyst-owner/issues/224.

Only this one line needs to be added, according to https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header.

$http_origin works on Heroku; on catalysts, it may be that $CATALYST_URL should be used instead.

ProteanCoding commented 7 months ago

Not sure how best to test this. Currently trying to start the docker environment in Windows (nothing in the docs about that).

ProteanCoding commented 7 months ago

Error traces are in the linked issue #224. This change is for making catalyst servers actually send out the header, so that web browsers can tell that cross-site requests from another catalyst are expected.

ProteanCoding commented 7 months ago

I just now succeeded in getting the docker container started in Windows, and will proceed with testing of this change.

ProteanCoding commented 6 months ago

@menduz, $server_name is the variable to use. Tested with curl.

Before the change:

💲 curl -I localhost/stats/parcels
HTTP/1.1 404 Not Found
Server: nginx/1.22.1
Date: Sun, 14 Apr 2024 15:49:52 GMT
Content-Type: application/octet-stream
Content-Length: 46
Connection: keep-alive
ETag: "660578bb-2e"

{ "ok": false, "error": "404 path not found" }
💲 curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 14 Apr 2024 15:49:55 GMT
Content-Type: text/html
Content-Length: 4997
Last-Modified: Thu, 28 Mar 2024 14:03:39 GMT
Connection: keep-alive
ETag: "660578bb-1385"
Accept-Ranges: bytes

After the change, the Access-Control-Allow-Origin shows up:

💲 curl -i localhost/stats/parcels
HTTP/1.1 404 Not Found
Server: nginx/1.22.1
Date: Sun, 14 Apr 2024 15:49:25 GMT
Content-Type: application/octet-stream
Content-Length: 46
Connection: keep-alive
ETag: "660578bb-2e"
Access-Control-Allow-Origin: localhost

{ "ok": false, "error": "404 path not found" }
💲 curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Sun, 14 Apr 2024 15:49:06 GMT
Content-Type: text/html
Content-Length: 4997
Last-Modified: Thu, 28 Mar 2024 14:03:39 GMT
Connection: keep-alive
ETag: "660578bb-1385"
Access-Control-Allow-Origin: localhost
Accept-Ranges: bytes
menduz commented 6 months ago

Can you share a real world case of the explorer that is failing? Like a deployment not being able to stream the video

ProteanCoding commented 6 months ago

Yes, currently in my scene at 69,-55, it's been like that for months. That's where I see this in the logs: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://peer.melonwave.com/content//contents/bafybeidrsigw4lxzsyyrwzmwuiz5obcofxscvczhbqrzri3skplfnq4bw4. (Reason: CORS request did not succeed). Status code: (null).

ProteanCoding commented 6 months ago

image The flame video won't load and replace the green place-holder texture unless a CORS extension is used in the browser.

ProteanCoding commented 6 months ago

The video also finally loads when I hop onto the realm served by melonwave.com. I've noticed other scenes having similar issues.

menduz commented 6 months ago

Please provide a link in which the maintainers can click into, to debug the issue. It is weird that this error has never happened before. And even though your PR may fix it, the root cause must be analyzed. Because there are dozens of scenes reproducing video

ProteanCoding commented 6 months ago

@menduz, if I understand correctly, the issue I posted on catalyst-owner/issues/224 is the link which you are requesting. But I am still trying to figure out how things work on this github. I will also add more information in this link presently.

ProteanCoding commented 6 months ago

I am also realizing I made a wrong assumption (which was hard to see before I cleared my mind by posting the other PRs on my plate). I assumed the code looks for the content on a different catalyst because catalysts also share file storage load. But of course all the content is on all of the catalysts.

ProteanCoding commented 6 months ago

Thus a better long-term solution would be to have the code double-check that content won't be blocked due to CORS, and if it will, to not request it from a different catalyst. But in the short-term, my PR should work to patch-up the issue.

ProteanCoding commented 6 months ago

I have also been getting my mind more and more around the dangers inherent to the XSS technologies that are required in this and in many other projects.

How CORS is meant to work is still rather misunderstood, as can be seen by the number of incorrectly up-voted posts on https://old.reddit.com/r/reactjs/comments/1bjft89/what_is_the_actual_point_of_cors/ and other similar places.

In the end, the issue is that any DCL cookie remaining, in the browser, after a trip to Decentraland, could be used by a bad website visited afterwards, in a bid to fool a catalyst.

hugoArregui commented 6 months ago

@ProteanCoding thank you very much for this PR! I think the change is not by itself wrong, but I think perhaps the CORS issue is a red herring, notice:

1) The browser may return a cors error for things that are not really cors errors, for example, if a 404 error message has no CORS headers (which you can argue is a CORS error, but that's not the most important problem). 2) Only the /stats/parcels URL in the issues is from a catalyst, so you will still see the other errors. And for the error in catalyst https://peer.dclnodes.io/stats/parcels such URL does not exist, because that catalyst has no comms. So it's expected to fail. 3) We usually handle cors inside the apps themselves. It is not the case for that phttps://peer.dclnodes.io/stats/parcelsarticular 404 since that's nginx doing the handling, but for most cases the apps do the trick.

Again, I think we will see less CORS errors with this change, but I don't think it will solve the underline issue you are facing.

In any case it's great to see your contribution and how you are debugging the problem and fixing stuff. Thanks!

ProteanCoding commented 6 months ago

Hi @hugoArregui, you're welcome ! My apologies, I've been trying to find the conviction reformulate #224, with more convincing arguments and extra log traces. I will simply list the extra log traces here.

ProteanCoding commented 6 months ago

Using Firefox, and while on the MAIN realm: https://play.decentraland.org/?position=-119,119 (DG Arena) 15:46:59.850 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://peer.kyllian.me/content//contents/bafybeielnptdv5uorbbpiiw64yeyq6nkfrpd76rt4hhvjbcranwaln7rdm. (Reason: CORS request did not succeed). Status code: (null). https://play.decentraland.org/?position=-2,134 (Sophia The Robot) 15:57:42.794 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://peer.kyllian.me/content//contents/bafybeigr2kau3nuhzbxurtvgy5kyvt4efihhhdjbtwetyeiq6loxlnpqde. (Reason: CORS request did not succeed). Status code: (null). https://play.decentraland.org/?position=-21,148 (Immeuble presentation) 17:36:13.398 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://peer.kyllian.me/content//contents/bafybeih5cxwnt3b35kap3olsvqq4xitacxzp3p55zeozpry43pwryt4pji. (Reason: CORS request did not succeed). Status code: (null). And I've been seeing more of those in my DCL travels.

ProteanCoding commented 6 months ago

Regarding the 404 response, it's very misleading, because there's a JSON object that is actually also sent along !

💲 curl https://peer.dclnodes.io/stats/parcels
{ "ok": false, "error": "404 path not found" }

Here is the file which gets served: https://github.com/decentraland/catalyst-owner/blob/master/local/nginx/html/404