Cross-Origin Request Blocked with spotify search in Firefox

jaedb / Iris

Discover, explore and manage your music library across multiple sources with this beautiful web-based interface. Iris is a Mopidy frontend extension.

Apache License 2.0

1.13k stars 132 forks source link

Cross-Origin Request Blocked with spotify search in Firefox #609

Closed partofthething closed 4 years ago

partofthething commented 4 years ago

Describe the bug When I search in Firefox for something in spotify, it fails to load and gives CORS errors.

To Reproduce Steps to reproduce the behavior:

Activate Mopidy and Spotify
Go to Iris in a new version of firefox and search on spotify
Check the web developer console
See error

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.spotify.com/v1/search?

Expected behavior It should just search spotify as usual and return results.

Screenshots If applicable, add screenshots to help explain your problem.

Environment details:

OS: Ubuntu Linux 20.04
Browser: Firefox 80.0.1 (64-bit)
Iris version: 3.51.0

Additional context The mopidy http server allows setting allowed_origins and I have this set to:

[http]
hostname = ::
allowed_origins = api.spotify.com:443,

Have tried various versions of this but none seem to work.

Works on Chrome. I think Firefox is just more serious about enforcing this?

kingosticks commented 4 years ago

I can't address anything in regards to Iris, but I can tell you that Mopidy's http/allowed_origins config is specifically for Mopidy web clients (such as Iris) making requests to Mopidy's HTTP server. It's not related to Iris talking directly to api.spotify.com so you can remove this config.

jaedb commented 4 years ago

I haven't been able to replicate this (I too am on 80.0.1 but Windows 10).

Do you have any custom configuration in your setup, especially around proxies or SSL? What is the URL you're using? If it is http://localhost:6680 then it could be additional security rules for that hostname, which we may not be able to do anything about.

Do any of the other Spotify-connected areas give you the same error? For example New Releases.

partofthething commented 4 years ago

I tried various urls and kept seeing the same issue. Finally I tried with add-ons disabled and it worked. I have lots of privacy add-ons and though I tried disabling them for this site and still saw the issue, disabling them all completely fixes it. So it's not Iris, it's me.

Closing as invalid. Thanks for your help!

roosemberth commented 3 years ago

I'm leaving a note here since I've been hitting this bug. It turns out I was using http://127.0.0.1:6680 to access iris. Using http://localhost:6680 fixed the issue.

blacklight commented 2 years ago

I have lots of privacy add-ons and though I tried disabling them for this site and still saw the issue, disabling them all completely fixes it.

For those who also bumped into this issue, even after explicitly adding api.spotify.com to: allowed_origins: the culprit in my case was the Privacy Badger extension. It interprets the cross-domain call to api.spotify.com like a tracker, so it blocks it regardless of the CORS configuration. Adding a domain exception for the Iris server fixed the issue for me.