🌐 Website Issue | WebFinger for federated comments broken (CORS)

[kravietz]

Description

Commenting on federated websites (e.g. PeerTube) using your Mastodon account at social.privacytools.io depends on cross-site requests using WebFinger specification. Steps to reproduce:

1. Open browser developer console
2. Go to https://peertube.cpy.re/videos/watch/c193a2f6-8b24-48c3-a93e-f89bd71cad42 (for example, any PeerTube instance will work)
3. Go to the Comments section at the bottom and try to comment (click in the text box). A window comes up offering either a local instance login or federated comment
4. Enter your Mastodon id in the Remote interact field (e.g. kravietz@social.privacytools.io)
5. Now PeerTube attempts to issue a CORS request to the specified instance to get authorisation and obtain user details but the request fails with the following error (in dev console):

   Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://social.privacytools.io/.well-known/webfinger?resource=acct:kravietz@social.privacytools.io. (Reason: CORS request did not succeed).

   The actual https://social.privacytools.io/.well-known/webfinger?resource=acct:kravietz@social.privacytools.io request does work and returns the desired information, but it does not return CORS headers (Access-Control-Allow-Origin) which results in the request being blocked by the browser.

This particular URL should return Access-Control-Allow-Origin: * so that all federated instances are able to call it. This might require more research as Mastodon seems to be already setting CORS but apparently not on all endpoints (https://github.com/tootsuite/mastodon/issues/10400) so maybe it's just a bug in Mastodon. I'd just try to set it on your instance and see if it works, and if yes, we can report it to Mastodon too.

[kravietz]

It seems to be indeed CORS case - compare headers returned by Friendica

https://friendica.me/.well-known/webfinger?resource=acct:kravietz@friendica.me

HTTP/1.1 200 OK
Date: Sat, 12 Oct 2019 12:10:52 GMT
Server: Apache/2.4.25
X-Account-Management-Status: none
Access-Control-Allow-Origin: *
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8

And federated commenting works.

[jonaharagon]

I will check this issue in a few hours, but if this is something to do with Mastodon we won’t be able to fix it (i.e. we’d need this reported upstream). Is this happening with other instances or just ours specifically?

[kravietz]

@JonahAragon I don't have accounts on any other Mastodon instances so couldn't really check. Since this is a HTTP header, I suppose this may be either fixed upstream or just on instance, by adding the missing header from Nginx.

[jonaharagon]

I cannot reproduce this issue as you've described in Firefox or Google Chrome. Entering my User ID in the remote interact field opens https://social.privacytools.io/web/statuses/98860444803809393 in a pop-up for me to reply in Mastodon directly, which based on the wording in PeerTube seems to be expected behavior.

[wiktor-k]

The actual https://social.privacytools.io/.well-known/webfinger?resource=acct:kravietz@social.privacytools.io request does work and returns the desired information, but it does not return CORS headers (Access-Control-Allow-Origin) which results in the request being blocked by the browser.

It does if you add Origin header (that'd be added by a browser):

$ curl -i -H"Origin:https://social.privacytools.io" https://social.privacytools.io/.well-known/webfinger?resource=acct:kravietz@social.privacytools.io
HTTP/2 200 
date: Sat, 07 Dec 2019 18:24:04 GMT
content-type: application/jrd+json; charset=utf-8
access-control-allow-origin: *
access-control-allow-methods: GET
access-control-expose-headers: 
access-control-max-age: 1728000