Closed flaki closed 6 years ago
:wave: @flaki
thanks a lot for the heads up, I was able to reproduce the issue in Firefox. I’ll check in with GitHub’s API team
For clarification, here is what we mean
$ curl -XOPTIONS -i https://api.github.com/
HTTP/1.1 204 No Content
Date: Sun, 18 Mar 2018 17:49:29 GMT
Content-Type: application/octet-stream
Server: GitHub.com
Status: 204 No Content
Access-Control-Expose-Headers: ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Accept-Encoding, X-GitHub-OTP, X-Requested-With
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; img-src 'self' data: assets-cdn.github.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com collector.githubapp.com avatars0.githubusercontent.com avatars1.githubusercontent.com avatars2.githubusercontent.com avatars3.githubusercontent.com github-cloud.s3.amazonaws.com; manifest-src 'self'; media-src 'none'; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com; worker-src 'self'
X-Runtime-rack: 0.004512
Vary: Accept-Encoding
X-GitHub-Request-Id: EF62:89FF:226BC3B:2C23EE7:5AAEA6A9
The Access-Control-Allow-Headers
header should include User-Agent
in order for Octokit to be usable in browsers the follow the fetch
specification. Octokit is currently unusable in latest Firefox and Safari, and will be unusable in Chrome soon.
I've reported this to the GitHub API team and will let you know if there are any updates.
This is shipped!
$ curl -XOPTIONS -i https://api.github.com/ | grep Access-Control
Access-Control-Expose-Headers: ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Accept-Encoding, X-GitHub-OTP, X-Requested-With, User-Agent
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
Access-Control-Allow-Origin: *
That was fast, thanks! I double checked and things are working now. Let us know if something is still funky in Firefox @flaki. Thanks again for the report 🙏
Fantastic turnaround, thanks so much! :sparkling_heart:
Unless I'm missing something, this issue seems to be mildly related to #758 (except that it affects api.github.com).
It seems browsers are blocking the CORS pre-flight request if a User-Agent is present in the request headers and the server doesn't explicitly list
user-agent
as a modifiable property in the returned response'sAccess-Control-Allow-Headers
header. This seems to be a rather recent addition to the spec (the ability to change the User Agent, and thus the requirement for opt-in). This has already landed in Firefox 43, is in the works for Chrome.Source code used:
Octokit version: v15.2.4