search

hoppscotch / hoppscotch-extension

🧩 Browser extensions to provide more capabilities to https://hoppscotch.io
https://hoppscotch.io
MIT License
254 stars 95 forks source link

CORS Error #151

Open MalteJac opened 2 years ago

MalteJac commented 2 years ago

Hey, similar to #50 I am not able to send a proper request to get an Azure Bearer Token, which works absolutely fine with PostMan. I activated the addon usage (Firefox) in the Hoppscotch setting. I'm not self-hosting, thus using https://hoppscotch.io/


"error_description": "AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'moz-extension://abxxxxxxxxxxxxxxxxxxxxxxxxxxxx92'.\r\nTrace ID: 3xxxxxxxxxxxxxxxxxxxxxxxxx0\r\nCorrelation ID: exxxxxxxxxxxxxxxxxxxxxxxxxxx8\r\nTimestamp: 2022-07-29 10:00:32Z",

from MS docs:
> The application must fix either the reply URIs registered on the application registration to include a unique reply address of type "spa", or they must fix the token request to not include an Origin header, if being sent from a non-browser client.
ynyyn commented 10 months ago

Yes, I'm experiencing the same issue as well. And I've managed to figure out the cause and have successfully resolved it.

Today is my first day to Hoppscotch and I found when using Hoppscotch via hoppscotch.io in Firefox 120 with browser extension 0.28 (December 14, 2023) as middleware activated, the requests sent from Hoppscotch would still have the Origin header with value moz-extension://....

We may confirm this by sending request to echo.hoppscotch.io or httpbin to examine the actual header sent.

bad origin with moz-extension

... So, it could still trigger CORS restriction. Hmm... Did I miss any settings?

I couldn't find any useful information in the documentation or the issues. It's highly likely that this issue is specific to Firefox, which is used by few people, so it's not surprising to see that there isn't much feedback.

After some research, I found this issue relates to Firefox security policy.

The issue is about host permissions, in MV3, they’re not granted automatically on install, but instead user needs to grant them at some point. — https://discourse.mozilla.org/t/can-not-use-cross-origin-requests-from-an-mv3-addon-background-script-on-nightly-v102/97603

This made me understand why.

It turn out that before sending the request in Hoppscotch, I had to open the target site (domain, host) in a new tab and right-click on the extension to authorize "Extension Can Read and Change Data: Always allow on \<host>" to the extension.

authorize the extension

Only after that, the request sent in Hoppscotch will not be cross-site.

Finally, I realized that it is possible to grant the extension access to ALL websites in Add-ons Preference page (about:addons) manually.

Grant the extension access to ALL websites in Add-ons Preference

Hope this helps.

Maybe it would be nice if we could include a note about this issue in the documentation, README, or description in the market.