error during replication: CORS request blocked.

[folz]

Came across npm-browser as a sweet demo of pouchdb, but when I opened it in Firefox (33) nothing happened. Opening the console gives me this (repeating forever):

Chrome works fine.

[nolanlawson]

OK, CORS is officially impossible to work with.

I got it working in Chrome and Firefox, then I changed the configuration to work in Firefox OS, and now it no longer works in Firefox. And the Chrome and Firefox dev tools won't even show me the OPTIONS request/response for some reason.

For the record, the CORS config is:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://*</AllowedOrigin>
        <AllowedOrigin>https://*</AllowedOrigin>
        <AllowedOrigin>app://*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>2628000</MaxAgeSeconds>
        <AllowedHeader>accept</AllowedHeader>
        <AllowedHeader>authorization</AllowedHeader>
        <AllowedHeader>content-type</AllowedHeader>
        <AllowedHeader>origin</AllowedHeader>
        <AllowedHeader>referer</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

And I have no idea what it's actually sending to the browser.

Sorry, this isn't about you; I'm just griping about how irritating it is to work with CORS.

[nolanlawson]

Can you post the OPTIONS preflight request and response? I am unable to debug in any version of Firefox I have on my machine. Or Chrome for that matter.

[NickColley]

I'm using Firefox ESR (31.2.0) and can't replicate :(

[folz]

Well this is embarassing - when you both mentioned that you couldn't repro in Firefox, I made a new profile with addons disabled and the CORS issue went away. If there's something conflicting with a popular addon, I'll let you know - otherwise, this is probably something strange on my machine.

[NickColley]

@folz that's okay! If you have to time to figure out which addon it is definitely ping us back so we can see if it needs adding to the common errors page :)

[folz]

Looks like it's HTTPS Everywhere.

[marten-de-vries]

I can confirm that HTTPS Everywhere stops npm-browser from working. (Experiencing the same problem in FF Nightly.)

UPDATE: CORS seems to be enabled for both http and https, tested with curl:

• curl -vX GET http://nolanlawson.s3.amazonaws.com/npm-browser/npm_00000000.txt?_nonce=sb8ORZMhZYltWryw -H "Origin: http://www.npm-browser.com" > /dev/null
• curl -vX GET https://nolanlawson.s3.amazonaws.com/npm-browser/npm_00000000.txt?_nonce=sb8ORZMhZYltWryw -H "Origin: http://www.npm-browser.com" > /dev/null

Next up: wireshark...

[NickColley]

When I visit https://www.npm-browser.com/ I get unknown domain: www.npm-browser.com

[marten-de-vries]

Ok, so when inspecting the http traffic using Wireshark, FF doesn't even make a request to amazon s3 while HTTPS Everywhere is enabled. Seems like a bug in the plug-in, nothing that can be done about it.

@nickcolley Me too when I click past the ssl cert error. But https everywhere doesn't try to redirect to that page, so it doesn't really matter?

[NickColley]

I was thinking if we setup HTTPS on there maybe HTTPS-everywhere would fall into place and not be a problem.

[marten-de-vries]

@nickcolley It might be worth a try, but since it's actually failing on the amazon rule set as described in the issue I just filed against HTTPS Everywhere, I think that wouldn't work.

[nolanlawson]

Ah, I see, I'm getting another error. I'll open another issue.

[marten-de-vries]

@nolanlawson A suggestion from the HTTPS Everywhere issue to circumvent this bug: would it be possible to just use https://nolanlawson.s3.amazonaws.com/ as base url?

[nolanlawson]

Yes, I could just host everything there. There's no big reason to use GitHub pages anymore; it was just convenient at the time.

[marten-de-vries]

@nolanlawson I don't think that's necessary, I just meant changing the URL here to https: https://github.com/pouchdb/npm-browser/blob/master/scripts/services/pouch-service.js#L5

[nolanlawson]

@marten-de-vries yeah, I just assumed mixing http with https was bad, but I guess there's no reason not to

[nolanlawson]

yeah okay, it works with https now

[marten-de-vries]

Just tested this, npm-browser now works in Firefox Nightly with HTTPS Everywhere enabled. :)

[folz]

Yep, works for me as well. Excellent job solving this!