Closed edanweis closed 4 months ago
Hi. does this also happen when you don't use stackblitz? (e.g. local development) i have a theory that it happens because in stackblitz the app runs inside of an iframe
@mifi yes it happens in local development, stackblitz and in production. I forgot to mention I am also using Cloudflare with DNS proxy
ok thanks for clearing that up.
Where is Companion hosted? I don't know how your stackblitz can possibly work because it uses https://example.com/companion
I think it could be related to #4107
also have you set a Cross-Origin-Opener-Policy
header?
I can see that Cross-Origin-Opener-Policy: same-origin
does get set when running from StackBlitz. So it won't work there.
Having a Cross-Origin-Opener-Policy header with a value of same-origin prevents setting opener. Since the new window is loaded in a different browsing context, it won't have a reference to the opening window.
from https://developer.mozilla.org/en-US/docs/Web/API/Window/opener Are you setting that header when testing locally and in production?
net::ERR_CERT_AUTHORITY_INVALID
when Uppy code communicates with the companion serveradd_header Cross-Origin-Opener-Policy 'unsafe-none' always;
in my nginx config pasted above. I haven't tested that locally. Should companion do that by default? Are the Uppy web-app static files hosted in nginx also (the configuration above)? If not, can you check whether the request to get the webapp HTML has a Cross-Origin-Opener-Policy
header in the response? (for example using chrome developer tools Network tab)
No they are hosted by Vercel, or locally in Nuxt3 Nitro server. example.com is a redaction. All headers were being sent.
I think I solved it, the problem was the nuxt-security module I am using:
security: {
nonce: true,
corsHandler: {
origin: process.env.AUTH_BASE_URL,
methods: "*",
},
headers: {
crossOriginEmbedderPolicy: false,
contentSecurityPolicy: {
"script-src-attr": ["'unsafe-hashes'", "'unsafe-inline'"],
"img-src": false, //["'self'", 'data:'],
"script-src": [
"'self'",
"https:",
"'unsafe-inline'",
"'strict-dynamic'",
"'nonce-{{nonce}}'",
"'unsafe-eval'",
],
},
},
},
The stackblitz same-origin
must have been confounding my tests with the Uppy vue template. Thanks for your time @mifi
alright, so Cross-Origin-Opener-Policy: same-origin
was the problem, and we close this? I think we should provide a better error message (not just a blank page)
Yes that was the problem. I'll close the issue
Initial checklist
Link to runnable example
https://stackblitz.com/edit/nuxt-starter-y4aec5
Steps to reproduce
https://example.com/companion/connect/googledrive/callback?
)https://example.com/companion/drive/send-token?uppyAuthToken=long-token-here
) does not close and returns the error.Setup:
My nuxt-starter stackblitz includes my nginx, companion pm2 script and companion.json options (which seems to break CORS, so I fallback to the env variable options). I also tested with Uppy Dashboard starter with the same errors.
Causes I've investigated:
COMPANION_CLIENT_ORIGINS
so that the targetOrigin for postMessage calls are available in the context of OAuth.https://example.com/companion/drive/send-token?
incorrectRequest
Response Headers
nginx.conf
pm2 script
Expected behavior
As @mifi says:
Actual behavior
New tab (
https://example.com/companion/drive/send-token?uppyAuthToken=long-token-here
) does not close and returns the error.New Tab source