opening the sticker-box shows 403 forbidden

smoebody commented 4 years ago

Description

when opening the sticker-box in a conversation it shows 403 forbidden.

Steps to reproduce

its straight forward i think. But hard to reproduce since one has to set up a complete matrix-environment with riot/synapse/dimension/mxisd, ensure that all widget_urls referring to the dimension integration-service

log in
create a room
add stickers from the integration-menu
click the stickers-box
confirm the 403 forbidden message

upload

It seems that the riot-config is not respected, the sticker-button results in sending a request to scalar.vector.im/api/ which results in a 403 forbidden:

fetch("https://scalar.vector.im/api/widgets/id/9eea8eb8-822c-4060-9b9f-59b6c7aa281e/stickers.html?widgetId=9eea8eb8-822c-4060-9b9f-59b6c7aa281e&parentUrl=https%3A%2F%2Fchat.metaccount.de%2F", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3","accept-language":"de,en;q=0.9,de-DE;q=0.8,en-US;q=0.7","sec-fetch-mode":"nested-navigate","sec-fetch-site":"cross-site","upgrade-insecure-requests":"1"},"referrerPolicy":"no-referrer","body":null,"method":"GET","mode":"cors"});

this url (https://scalar.vector.im/api/) i can only find in the bundle.js, my config.json has the following widget configuration:

...
    "integrations_ui_url": "https://dimension.le.metaccount.de/riot",
    "integrations_rest_url": "https://dimension.le.metaccount.de/api/v1/scalar",
    "integrations_widgets_urls": ["https://dimension.le.metaccount.de/widgets"],
    "integrations_jitsi_widget_url": "https://dimension.le.metaccount.de/widgets/jitsi",
...

Logs being sent: yes/no

Version information

Platform: web (in-browser)?

For the web app:

Browser: Chrome 78
OS: Fedora 31
URL: https://chat.metaccount.de (riot-web v1.5.5)

xvitaly commented 4 years ago

I had the same problem and I found solution - enable third-party cookies in your browser settings for *.matrix.org, *.vector.im and *.your-domain.tld domains.

rexy712 commented 4 years ago

Also having this issue in electron app. If I leave the config.json as default, it will load the default stickers. Changing it to use my dimension instance causes a 403 on sticker box opening.

This is the url it 403s on:

https://scalar.vector.im/api/widgets/id/32a33322-d1d0-442f-8ada-f98a6430c2b6/stickers.html?widgetId=32a33322-d1d0-442f-8ada-f98a6430c2b6&parentUrl=vector%3A%2F%2Fvector%2Fwebapp%2F

I don't think it should be accessing scalar.vector.im when I've scrubbed every instance of it from my configs and source files that I could find. Also of note, I haven't updated any of dimension, synapse, riot, anything else in a few weeks and this just started happening today.

t3chguy commented 4 years ago

@rexy712 your account data will have the old sticker picker from Scalar still instantiated, you can remove it using /devtools

rexy712 commented 4 years ago

That did the trick, thanks @t3chguy I hadn't thought of checking account data. I figured it would all be stored and handled on the client

smoebody commented 4 years ago

worked for me as well. closing..

DarwinPorras commented 4 years ago

Hi guys,

Anyone could give me an advice on how to use /devtools to fix 403 Forbidden error when I try to popout widget from Riot Desktop?

zeratax commented 4 years ago

@DarwinPorras ehm under explore account data you can filter for m.widgets and replace what's in there with {}

that said this doesn't really feel that fixed to me if it requires to manually edit account data? telling my parents how to do this remotely was a nightmare

element-hq / element-web