search

juju / juju-gui

Juju-GUI is a web-based GUI for Juju <https://jujucharms.com/>.
Other
182 stars 85 forks source link

Charm svg icons won't show because of CORS error #3913

Closed mdavis-xyz closed 5 years ago

mdavis-xyz commented 5 years ago

When I look at the graph in the GUI, I see no icons for charms from the Juju store. Charms which were deployed from local files do have icons.

juju-noicon

When I open the browser console I see that this is because of CORS errors.

Request to access cookie or storage on “https://api.jujucharms.com/charmstore/v5/neutron-api-269/icon.svg” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. Request to access cookie or storage on “https://api.jujucharms.com/charmstore/v5/glance-275/icon.svg” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. etc

I'm using Firefox 66.0.2.

One solution is for the SVGs to be served via the Juju controller, which fetches them from api.jujucharms.com, rather than fetching them directly from the browser.

hatched commented 5 years ago

There are a couple things here.

First, the issue you're seeing there is because you're blocking the requests to the charmstore for the icons in the browser. You'll have to whitelist https://api.jujucharms.com/* for those requests to be allowed out and then shown.

As far as serving the assets from the controller. There is an unfortunate limitation of Juju and modern browsers. Juju only supports loading protected assets (in this case icons) from the controller using u/p in the url. Using a u/p in sub resource requests has been blocked by modern browsers because it can be a potential security issue. We aren't able to resolve this issue on our side, it's dependent on Juju providing some other type of authentication mechanism to fetch these assets.

Related: https://github.com/juju/juju-gui/issues/3067

hatched commented 5 years ago

Juju issue: https://bugs.launchpad.net/juju/+bug/1824887

mdavis-xyz commented 5 years ago

Ah yes, I see now. It is indeed because of one of my browser extensions. (Privacy Badger.)

The console log messages happen to look like CORS errors, but that's not actually the case.

privacy-badger-juju

I have no idea what u/p is.

hatched commented 5 years ago

sorry u/p is shorthand for "user & password"