Cors issue https://releases.wagtail.io/latest.txt (backend)

[robmoorman]

Issue Summary

Access to fetch at 'https://releases.wagtail.io/latest.txt' from origin 'xxx' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Steps to Reproduce

Check network tab and enter your CMS (this feature is turned on by default). Should occur on every platform now.

Technical details

• Python version: any
• Django version: any
• Wagtail version: 4.x
• Browser version: Chrome x (Chrome 107)

Fix

DevOps should fix this in S3, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html

[hazho]

as mentioned in the slack, the CORS should be allowed by the wagtail Org BE team, for all or specific origins, it is not a possible thing outside of the BE server, otherwise the security will be compromised, that been said, there is a way to visit the endponit from any origins if you turn off the secure browsing in chromium based browser (NOT Recommended at all)

[lb-]

This might need to move to the wagtail.org repo - looks like a similar issue was fixed there previously.

#223

[RealOrangeOne]

I can't reproduce this. releases.wagtail.org and releases.wagtail.io both load fine in my browser, and using curl both respond with a access-control-allow-origin: * header.

Screenshot

[robmoorman]

That's odd don't see any access control response headers. Can you copy the curl request you tried @RealOrangeOne ?

[robmoorman]

Appears I can't get the OPTIONS request to go through CloudFront, method not allowed, e.g.

curl -H "Origin: http://example.com" \
  -H "Access-Control-Request-Method: GET" \
  -X OPTIONS --verbose \
  https://releases.wagtail.io/latest.txt

[lb-]

Moved from Wagtail repo - however, I cannot reproduce this after a quick smoke test, running the following in the browser works fine.

It must be something to do with how we are requesting it from the client to trigger an options request, probably because it's automatic. Need to do a bit more digging.

If OPTIONS is failing due to cloudfront, still needs to be resolved on the wagtail.org side.

My validation nonetheless

fetch('https://releases.wagtail.io/latest.txt').then(console.log);

Firefox 108

Chrome 108

See API response - cors header appears to be correctly set.

[mikaraunio]

@lb- Duplicating your browser test does not succeed here:

Likewise, curl from a few different VPS:es gives no access-control headers:

$ curl -IH "Origin: https://example.com" -H "Access-Control-Request-Method: GET" https://releases.wagtail.io/latest.txt
HTTP/2 200
content-type: text/plain
content-length: 368
date: Fri, 16 Dec 2022 14:22:32 GMT
last-modified: Fri, 11 Nov 2022 22:20:36 GMT
etag: "99ac89ab5a96abc82ff9d953de3b887e"
x-amz-version-id: A6WSpf6jsPf.MIPWe2v7OyIj_MhnW6HU
accept-ranges: bytes
server: AmazonS3
x-cache: Hit from cloudfront
via: 1.1 e626e3045304034f7160fd4e5f8b6fce.cloudfront.net (CloudFront)
x-amz-cf-pop: HAM50-C1
x-amz-cf-id: -6DyXXuVSXc4KzSuFnLUR_4WOBjD6-CCK1iusNpUTa6_3KG60X-KTA==
age: 58210

And with OPTIONS, confirm I'm seeing "Method not allowed" like @robmoorman:

$ curl -IH "Origin: https://example.com" -H "Access-Control-Request-Method: GET" -X OPTIONS https://releases.wagtail.io/latest.txt
HTTP/2 403
server: CloudFront
date: Sat, 17 Dec 2022 06:35:56 GMT
content-type: text/html
content-length: 1053
x-cache: Error from cloudfront
via: 1.1 04545073f97f94a6b7b4580892eff70c.cloudfront.net (CloudFront)
x-amz-cf-pop: HAM50-C1
x-amz-cf-id: 1_uUoHzE2DNMzgWOvjNLk_MYF1PEnsKPXZDUJwydSFl5RMKh40AXBA==