Manifest is ignored when opening the link in Firefox

[dscho]

Please avoid duplicates

• [x] I checked all open bugs and none of them matched my problem.

Reproducible test case

npx register-github-app-cli

Please select the environment(s) that are relevant to your bug report

• [x] Browsers
• [ ] Node
• [ ] Deno

Versions

Using npx, expect register-github-app to be at the latest version; Firefox v125.0.1

What happened?

With Firefox v125.0.1, the manifest seems to be ignored, and a completely empty form is shown, the top looks like this:

When I open the link in Edge instead, it works as expected, the form shows only the app's name.

Would you be interested in contributing a fix?

• [x] yes

[gr2m]

You need to set the path to the manifest file using --manifest

e.g.

npx register-github-app-cli --manifest app.yml

I was not able to reproduce any problem using latest Firefox on Mac OS

[dscho]

With Firefox 125.0.3:

https://github.com/gr2m/register-github-app/assets/127790/2ed8ef52-9f8f-4b9d-ac9f-f51f6bcfee88

[gr2m]

thanks can you please share the contents of app.yml?

[dscho]

thanks can you please share the contents of app.yml?

@gr2m of course!

name: gr2m-reproducer
url: https://github.com/apps/gr2m-reproducer
hook_attributes:
  url: https://gr2m-reproducer-github-app.azurewebsites.net/api/Reproducer
public: false
default_permissions:
  actions: read
  administration: read
  checks: read
  contents: read
  deployments: read
  emails: read
  environments: read
  issues: read
  metadata: read
  pull_requests: read

[dscho]

@gr2m any insights into the reason why it does what the video above shows?

[gr2m]

I just tried with your exact app.yml and I was not able to reproduce the problem

You should get redirected to https://github.com/settings/apps/manifest, but you are redirected to https://github.com/settings/apps/new instead. I looked into my requests log in the developer console, This should be the relevant request that doesn't seem to be working correctly in your case:

```json { "startedDateTime": "2024-06-11T14:24:34.989-07:00", "request": { "bodySize": 748, "method": "POST", "url": "https://github.com/settings/apps/new", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "github.com" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" }, { "name": "Accept-Language", "value": "en-US,en;q=0.5" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "name": "Content-Length", "value": "748" }, { "name": "Origin", "value": "http://localhost:59372" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Referer", "value": "http://localhost:59372/" }, { "name": "Cookie", "value": "" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Sec-Fetch-Dest", "value": "document" }, { "name": "Sec-Fetch-Mode", "value": "navigate" }, { "name": "Sec-Fetch-Site", "value": "cross-site" }, { "name": "Priority", "value": "u=1" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" } ], "cookies": [], "queryString": [], "headersSize": 908, "postData": { "mimeType": "application/x-www-form-urlencoded", "params": [ { "name": "manifest", "value": "{\"redirect_url\":\"http://localhost:59372\",\"name\":\"gr2m-reproducer\",\"url\":\"https://github.com/apps/gr2m-reproducer\",\"hook_attributes\":{\"url\":\"https://gr2m-reproducer-github-app.azurewebsites.net/api/Reproducer\"},\"public\":false,\"default_permissions\":{\"actions\":\"read\",\"administration\":\"read\",\"checks\":\"read\",\"contents\":\"read\",\"deployments\":\"read\",\"emails\":\"read\",\"environments\":\"read\",\"issues\":\"read\",\"metadata\":\"read\",\"pull_requests\":\"read\"},\"setup_on_update\":false,\"request_oauth_on_install\":false}" } ], "text": "manifest=%7B%22redirect_url%22%3A%22http%3A%2F%2Flocalhost%3A59372%22%2C%22name%22%3A%22gr2m-reproducer%22%2C%22url%22%3A%22https%3A%2F%2Fgithub.com%2Fapps%2Fgr2m-reproducer%22%2C%22hook_attributes%22%3A%7B%22url%22%3A%22https%3A%2F%2Fgr2m-reproducer-github-app.azurewebsites.net%2Fapi%2FReproducer%22%7D%2C%22public%22%3Afalse%2C%22default_permissions%22%3A%7B%22actions%22%3A%22read%22%2C%22administration%22%3A%22read%22%2C%22checks%22%3A%22read%22%2C%22contents%22%3A%22read%22%2C%22deployments%22%3A%22read%22%2C%22emails%22%3A%22read%22%2C%22environments%22%3A%22read%22%2C%22issues%22%3A%22read%22%2C%22metadata%22%3A%22read%22%2C%22pull_requests%22%3A%22read%22%7D%2C%22setup_on_update%22%3Afalse%2C%22request_oauth_on_install%22%3Afalse%7D" } }, "response": { "status": 302, "statusText": "", "httpVersion": "HTTP/2", "headers": [ { "name": "server", "value": "GitHub.com" }, { "name": "date", "value": "Tue, 11 Jun 2024 21:24:35 GMT" }, { "name": "content-type", "value": "text/html; charset=utf-8" }, { "name": "vary", "value": "X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame" }, { "name": "location", "value": "https://github.com/settings/apps/manifest" }, { "name": "cache-control", "value": "no-cache" }, { "name": "set-cookie", "value": "app_manifest_token=7d07bc5c44057e637e4f9ecad99f7a3fd75a52c4; path=/; expires=Tue, 11 Jun 2024 21:29:35 GMT; secure; HttpOnly; SameSite=Lax" }, { "name": "set-cookie", "value": "logged_in=no; domain=github.com; path=/; expires=Wed, 11 Jun 2025 21:24:35 GMT; secure; HttpOnly; SameSite=Lax" }, { "name": "set-cookie", "value": "" }, { "name": "strict-transport-security", "value": "max-age=31536000; includeSubdomains; preload" }, { "name": "x-frame-options", "value": "deny" }, { "name": "x-content-type-options", "value": "nosniff" }, { "name": "x-xss-protection", "value": "0" }, { "name": "referrer-policy", "value": "origin-when-cross-origin, strict-origin-when-cross-origin" }, { "name": "content-security-policy", "value": "default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/" }, { "name": "vary", "value": "Accept-Encoding, Accept, X-Requested-With" }, { "name": "x-github-request-id", "value": "E830:27A762:2BAA203:2C72E1F:6668C093" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [ { "name": "app_manifest_token", "value": "7d07bc5c44057e637e4f9ecad99f7a3fd75a52c4" }, { "name": "logged_in", "value": "no" }, { "name": "_gh_sess", "value": "" } ], "content": { "mimeType": "text/html; charset=utf-8", "size": 278418, "comment": "Response bodies are not included." }, "redirectURL": "https://github.com/settings/apps/manifest", "headersSize": 4259, "bodySize": 66079 }, "cache": {}, "timings": { "blocked": 137, "dns": 17, "connect": 46, "ssl": 52, "send": 0, "wait": 207, "receive": 0 }, "time": 459, "_securityState": "secure", "serverIPAddress": "140.82.116.4", "connection": "443", "pageref": "page_1" } ```

It looks like the https://github.com/settings/apps/manifest page relies on cookies. Maybe you have some add-on or more restrictive cookie settings that prevent this flow from working correctly? I tried loading https://github.com/settings/apps/new without any cookies which redirected me to https://github.com/settings/apps/new, but it also showed an error message that I haven't seen in your screen recording.

Sorry, I'm puzzled, not sure what else I can do to help figure this out

[dscho]

It looks like the https://github.com/settings/apps/manifest page relies on cookies.

Oh, that would be a plausible explanation: The latest Firefox is pretty serious about preventing tracking, including suppression of cookies. That's a pity. I really prefer working with Firefox, particularly because of that tracking prevention.

[gr2m]

I have Firefox 127 which I think is the latest version, and it does work, even in private browsing mode. I also use Firefox as my primary browser on my personal machine. The problem must be something else. Can you try disabling all plugins?

[dscho]

Can you try disabling all plugins?

Not really. I am a heavy used of the multi-account containers, and pretty much everything would stop working as I need if I disabled that extension. I only have one other extension enabled, a password manager, and I need that, too.

So I guess I'll just live with having to copy/paste the link into Chrome or Edge to be able to use this highly useful node.js script.

[dscho]

Aha! If I paste the URL in a regular new tab, the POST is blocked by my multi-account container extensions because github.com is configured to always open in a specific container. If I paste the URL in a new container tab of that specific container, it works even in Firefox! So the problem is not Firefox per se, but the multi-account container feature being somehow incompatible with the way register-github-app is designed to work, unless I find a way to some how convince that extension to open that localhost URL already in the correct container.

[gr2m]

hmm maybe we could build a web-based version with a domain that you could add github.com container? I'm not sure how this works, I never used that feature