search

octokit / octokit.js

The all-batteries-included GitHub SDK for Browsers, Node.js, and Deno.
MIT License
6.94k stars 1.02k forks source link

GitHub API does not include `user-agent` in `Access-Control-Allow-Headers` #817

Closed flaki closed 6 years ago

flaki commented 6 years ago

Unless I'm missing something, this issue seems to be mildly related to #758 (except that it affects api.github.com).

It seems browsers are blocking the CORS pre-flight request if a User-Agent is present in the request headers and the server doesn't explicitly list user-agent as a modifiable property in the returned response's Access-Control-Allow-Headers header. This seems to be a rather recent addition to the spec (the ability to change the User Agent, and thus the requirement for opt-in). This has already landed in Firefox 43, is in the works for Chrome.

gh-api-cors

Source code used:

const octokit = new Octokit({})

console.log('authenticating with', octokit)
await octokit.authenticate({
  type: 'oauth',
  token: private_token
})

const fork = await octokit.repos.fork({
  owner: 'mdn',
  repo: 'browser-compat-data'
})
console.log(fork)

})

Octokit version: v15.2.4

gr2m commented 6 years ago

:wave: @flaki

thanks a lot for the heads up, I was able to reproduce the issue in Firefox. I’ll check in with GitHub’s API team

gr2m commented 6 years ago

For clarification, here is what we mean

$ curl -XOPTIONS -i https://api.github.com/
HTTP/1.1 204 No Content
Date: Sun, 18 Mar 2018 17:49:29 GMT
Content-Type: application/octet-stream
Server: GitHub.com
Status: 204 No Content
Access-Control-Expose-Headers: ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Accept-Encoding, X-GitHub-OTP, X-Requested-With
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; img-src 'self' data: assets-cdn.github.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com collector.githubapp.com avatars0.githubusercontent.com avatars1.githubusercontent.com avatars2.githubusercontent.com avatars3.githubusercontent.com github-cloud.s3.amazonaws.com; manifest-src 'self'; media-src 'none'; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com; worker-src 'self'
X-Runtime-rack: 0.004512
Vary: Accept-Encoding
X-GitHub-Request-Id: EF62:89FF:226BC3B:2C23EE7:5AAEA6A9

The Access-Control-Allow-Headers header should include User-Agent in order for Octokit to be usable in browsers the follow the fetch specification. Octokit is currently unusable in latest Firefox and Safari, and will be unusable in Chrome soon.

bkeepers commented 6 years ago

I've reported this to the GitHub API team and will let you know if there are any updates.

bkeepers commented 6 years ago

This is shipped!

$ curl -XOPTIONS -i https://api.github.com/ | grep Access-Control
Access-Control-Expose-Headers: ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Accept-Encoding, X-GitHub-OTP, X-Requested-With, User-Agent
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
Access-Control-Allow-Origin: *
gr2m commented 6 years ago

That was fast, thanks! I double checked and things are working now. Let us know if something is still funky in Firefox @flaki. Thanks again for the report 🙏

flaki commented 6 years ago

Fantastic turnaround, thanks so much! :sparkling_heart: