[GH-ISSUE #23 ] Firefox Plugin - NetworkError on Sign in #19

Author

Owner

@MohamedBassem commented on GitHub (Mar 27, 2024):

Can you try prefixing the address with http://?

@MohamedBassem commented on GitHub (Mar 27, 2024): Can you try prefixing the address with `http://`?

kerem commented

Author

Owner

@vercas commented on GitHub (Mar 27, 2024):

I'm also getting a NetworkError, and my server URL looks like https://foo.bar.baz

@vercas commented on GitHub (Mar 27, 2024): I'm also getting a `NetworkError`, and my server URL looks like `https://foo.bar.baz`

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 27, 2024):

Hmmm, I wonder if it has something to do with the fact that your SSL certificates are not valid (according to the first screenshot). Is it possible to try disabling SSL and trying again with the http:// prefix? Just as a test.

@MohamedBassem commented on GitHub (Mar 27, 2024): Hmmm, I wonder if it has something to do with the fact that your SSL certificates are not valid (according to the first screenshot). Is it possible to try disabling SSL and trying again with the `http://` prefix? Just as a test.

kerem commented

Author

Owner

@vercas commented on GitHub (Mar 27, 2024):

I think the problem in my case was just that I forgot to update the container before trying the extension.
It works now, and I've changed nothing else.

@vercas commented on GitHub (Mar 27, 2024): I think the problem in my case was just that I forgot to update the container before trying the extension. It works now, and I've changed nothing else.

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 27, 2024):

Perfect!

@MohamedBassem commented on GitHub (Mar 27, 2024): Perfect!

kerem commented

Author

Owner

@vercas commented on GitHub (Mar 27, 2024):

I wouldn't close this just yet. I'm not the person who opened the ticket (@nickrallison). Their issue may turn out to be different.

@vercas commented on GitHub (Mar 27, 2024): I wouldn't close this just yet. I'm not the person who opened the ticket (@nickrallison). Their issue may turn out to be different.

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 27, 2024):

Ops, sorry.

@MohamedBassem commented on GitHub (Mar 27, 2024): Ops, sorry.

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 27, 2024):

I've updated the docker compose stack to the most recently release and changed the url to: http://100.98.101.100:23000/ and am still encountering the original issue

@nickrallison commented on GitHub (Mar 27, 2024): I've updated the docker compose stack to the most recently release and changed the url to: http://100.98.101.100:23000/ and am still encountering the original issue

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 27, 2024):

Please try removing the trailing slash from the address, this is a bug I fixed but still not released. Sorry, one last try I promise :)

If you can also capture the error logs from the browser’s console I’d be grateful!

@MohamedBassem commented on GitHub (Mar 27, 2024): Please try removing the trailing slash from the address, this is a bug I fixed but still not released. Sorry, one last try I promise :) If you can also capture the error logs from the browser’s console I’d be grateful!

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 27, 2024):

Removing the slash didn't work and the browser console was empty for about a minute after submitting the authentication.

I printed "Here" right before submitting the log in

The logs from each container also seem empty, the only one with anything interesting was the worker log which only contained job info as far as I can tell

@nickrallison commented on GitHub (Mar 27, 2024): Removing the slash didn't work and the browser console was empty for about a minute after submitting the authentication. ![image](https://github.com/MohamedBassem/hoarder-app/assets/99363282/9d9cbbdd-5c3e-40dd-9f18-aee593f52f5e) I printed "Here" right before submitting the log in The logs from each container also seem empty, the only one with anything interesting was the worker log which only contained job info as far as I can tell

kerem commented

https://github.com/MohamedBassem/hoarder-app/assets/2418637/a82e9cee-2454-4e06-b23e-8d3361eb02e1

Author

Owner

@MohamedBassem commented on GitHub (Mar 27, 2024):

Ok, I'm out of ideas for remote debugging :D In chrome, typically, you can open the devtools tab for the "plugin" itself and inspect the network requests the plugin itself is doing.

For example, here's how I debugged the trailing slash bug:

I'd expect that if you open the "extension"'s dev tools (not the page's dev tools), you'd find the error in the console logs and you can actually inspect the network request in the network tab. But I don't know how to do this in firefox.

I don't want to waste your time too much. If you're willing to try to repo on chrome and share the error, that would be great. Another option is to share the tailscale node with me temporarily (I can send you my tailscale email), but I'd understand if you don't want to (tbh, I personally wouldn't share my tailscale node with anyone :)). Otherwise, I'm out of ideas on how to help :)

@MohamedBassem commented on GitHub (Mar 27, 2024): Ok, I'm out of ideas for remote debugging :D In chrome, typically, you can open the devtools tab for the "plugin" itself and inspect the network requests the plugin itself is doing. For example, here's how I debugged the trailing slash bug: https://github.com/MohamedBassem/hoarder-app/assets/2418637/a82e9cee-2454-4e06-b23e-8d3361eb02e1 I'd expect that if you open the "extension"'s dev tools (not the page's dev tools), you'd find the error in the console logs and you can actually inspect the network request in the network tab. But I don't know how to do this in firefox. I don't want to waste your time too much. If you're willing to try to repo on chrome and share the error, that would be great. Another option is to share the tailscale node with me temporarily (I can send you my tailscale email), but I'd understand if you don't want to (tbh, I personally wouldn't share my tailscale node with anyone :)). Otherwise, I'm out of ideas on how to help :)

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 28, 2024):

Even more strange, Chrome works right out of the box, firefox still fails. Is it perhaps something strange with my firefox config? I have some strict rules and protections in place: https://github.com/arkenfox/user.js/

@nickrallison commented on GitHub (Mar 28, 2024): Even more strange, Chrome works right out of the box, firefox still fails. Is it perhaps something strange with my firefox config? I have some strict rules and protections in place: https://github.com/arkenfox/user.js/

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 28, 2024):

Oh interesting. Unfortunately, without logs from the plugin's devtool console (or its network tab), it's very hard to figure out why the plugin's requests are failing.

@MohamedBassem commented on GitHub (Mar 28, 2024): Oh interesting. Unfortunately, without logs from the plugin's devtool console (or its network tab), it's very hard to figure out why the plugin's requests are failing.

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 28, 2024):

I think I got the relevant logs:

@nickrallison commented on GitHub (Mar 28, 2024): I think I got the relevant logs: ![image](https://github.com/MohamedBassem/hoarder-app/assets/99363282/01dc25a8-f3d8-468c-a57b-33fc6f01ad56)

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 28, 2024):

Ok, now we're talking. Are you sure you're on the latest app version? I disabled the CORS policy in v0.10.0 (github.com/MohamedBassem/hoarder-app@e6f6873a23). You being on < 0.10.0 would also explain why it's working on chrome and not in firefox (chrome plugin was explicitly allowlisted. To support firefox, I dropped CORS completely).

If you're using HOARDER_VERSION=release, doing a docker compose up is not enough to ensure you're on the latest version. You'll need to also do docker compose up --pull always. Or instead, pin the version explicitly with HOARDER_VERSION=0.10.1.

@MohamedBassem commented on GitHub (Mar 28, 2024): Ok, now we're talking. Are you sure you're on the latest app version? I disabled the CORS policy in v0.10.0 (https://github.com/MohamedBassem/hoarder-app/commit/e6f6873a23dccdc17849f450da3d93838710880c). You being on < 0.10.0 would also explain why it's working on chrome and not in firefox (chrome plugin was explicitly allowlisted. To support firefox, I dropped CORS completely). If you're using `HOARDER_VERSION=release`, doing a `docker compose up` is not enough to ensure you're on the latest version. You'll need to also do `docker compose up --pull always`. Or instead, pin the version explicitly with `HOARDER_VERSION=0.10.1`.

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 28, 2024):

No dice, I pinned it in my .env file: HOARDER_VERSION=0.10.1

but I'm still getting the same error in the console after a compose down and a compose up. Is there a way in the shell of the container to explicitly check the current version to see if it matches the env var?

@nickrallison commented on GitHub (Mar 28, 2024): No dice, I pinned it in my .env file: HOARDER_VERSION=0.10.1 but I'm still getting the same error in the console after a compose down and a compose up. Is there a way in the shell of the container to explicitly check the current version to see if it matches the env var?

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 28, 2024):

Note to self: I should probably add some version number somewhere in the UI itself.

For now, I think one thing that changed in 0.10.0 is that in the worker logs (docker logs hoarder-workers-1), it used to say:

Starting openai worker ...

now it says:

Starting inference worker ...

If you're on >= 0.10.0, you should see the latter.

Also, can you share the output of:

curl --head https://unraid.vpn:23000/api/trpc/apiKeys.exchange

This should show the CORS headers of you server.

@MohamedBassem commented on GitHub (Mar 28, 2024): > Note to self: I should probably add some version number somewhere in the UI itself. For now, I think one thing that changed in 0.10.0 is that in the worker logs (`docker logs hoarder-workers-1`), it used to say: > Starting openai worker ... now it says: > Starting inference worker ... If you're on >= 0.10.0, you should see the latter. Also, can you share the output of: `curl --head https://unraid.vpn:23000/api/trpc/apiKeys.exchange` This should show the CORS headers of you server.

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

Same issue as @nickrallison on latest version 0.10.1

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource ... CORS request did not succeed.

@dyslexicjedi commented on GitHub (Mar 29, 2024): Same issue as @nickrallison on latest version 0.10.1 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource ... CORS request did not succeed.

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

Can you share the result of:

curl --head <address>/api/trpc/apiKeys.exchange

where <address> is your full server address?

@MohamedBassem commented on GitHub (Mar 29, 2024): Can you share the result of: ``` curl --head <address>/api/trpc/apiKeys.exchange ``` where `<address>` is your full server address?

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

One thing I did notice was that I said http://ip:port but in the inspect of the extension, I'm seeing https://ip:port. I'm not sure how the http got changed to https in the request.

[rob@turing ~]$ curl --head http://10.0.10.118:3000/api/trpc/apiKeys.exchange
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url
Date: Fri, 29 Mar 2024 18:02:36 GMT
Connection: keep-alive
Keep-Alive: timeout=5

[rob@turing ~]$ curl -k --head https://10.0.10.118:3000/api/trpc/apiKeys.exchange
curl: (35) OpenSSL/3.2.1: error:0A0000C6:SSL routines::packet length too long

@dyslexicjedi commented on GitHub (Mar 29, 2024): One thing I did notice was that I said http://ip:port but in the inspect of the extension, I'm seeing https://ip:port. I'm not sure how the http got changed to https in the request. ``` [rob@turing ~]$ curl --head http://10.0.10.118:3000/api/trpc/apiKeys.exchange HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Credentials: true vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url Date: Fri, 29 Mar 2024 18:02:36 GMT Connection: keep-alive Keep-Alive: timeout=5 [rob@turing ~]$ curl -k --head https://10.0.10.118:3000/api/trpc/apiKeys.exchange curl: (35) OpenSSL/3.2.1: error:0A0000C6:SSL routines::packet length too long ```

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

Access-Control-Allow-Origin: *

CORS headers look correct and confirm that you're on at least 10.0.0. The https thing is interesting. I wonder if you have a Force HTTPS everywhere kind of extension that might be causing this?

@MohamedBassem commented on GitHub (Mar 29, 2024): > Access-Control-Allow-Origin: * CORS headers look correct and confirm that you're on at least `10.0.0`. The https thing is interesting. I wonder if you have a `Force HTTPS everywhere` kind of extension that might be causing this?

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

Yup, on latest. No Https everywhere, just Ublock origin, privacy badger, bitwarden, you.

HOARDER_VERSION=release

rob@hoarder:~$ docker compose pull
WARN[0000] /home/rob/docker-compose.yml: `version` is obsolete 
[+] Pulling 5/5
 ✔ meilisearch Pulled                                                                                                                                         0.5s 
 ✔ web Pulled                                                                                                                                                 0.4s 
 ✔ redis Pulled                                                                                                                                               0.5s 
 ✔ chrome Pulled                                                                                                                                              0.5s 
 ✔ workers Pulled                                                                                                                                             0.4s 
rob@hoarder:~$ docker compose up -d
WARN[0000] /home/rob/docker-compose.yml: `version` is obsolete 
[+] Running 5/5
 ✔ Container rob-meilisearch-1  Started                                                                                                                       0.0s 
 ✔ Container rob-web-1          Started                                                                                                                       0.0s 
 ✔ Container rob-redis-1        Started                                                                                                                       0.0s 
 ✔ Container rob-workers-1      Started                                                                                                                       0.0s 
 ✔ Container rob-chrome-1       Started                                                                                                                       0.0s

@dyslexicjedi commented on GitHub (Mar 29, 2024): Yup, on latest. No Https everywhere, just Ublock origin, privacy badger, bitwarden, you. ``` HOARDER_VERSION=release ``` ``` rob@hoarder:~$ docker compose pull WARN[0000] /home/rob/docker-compose.yml: `version` is obsolete [+] Pulling 5/5 ✔ meilisearch Pulled 0.5s ✔ web Pulled 0.4s ✔ redis Pulled 0.5s ✔ chrome Pulled 0.5s ✔ workers Pulled 0.4s rob@hoarder:~$ docker compose up -d WARN[0000] /home/rob/docker-compose.yml: `version` is obsolete [+] Running 5/5 ✔ Container rob-meilisearch-1 Started 0.0s ✔ Container rob-web-1 Started 0.0s ✔ Container rob-redis-1 Started 0.0s ✔ Container rob-workers-1 Started 0.0s ✔ Container rob-chrome-1 Started 0.0s ```

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

Yeah, I mean the headers you shared confirm that you're on the latest release. So the culprit is probably something else.

And your https thing is a nice observation. Do you have a force https everywhere kind of extension?

@MohamedBassem commented on GitHub (Mar 29, 2024): Yeah, I mean the headers you shared confirm that you're on the latest release. So the culprit is probably something else. And your `https` thing is a nice observation. Do you have a `force https everywhere` kind of extension?

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

I've disabled all other extensions and restarted firefox. No change still the same error and still converts from http to https. Could it be some policy inside firefox?

@dyslexicjedi commented on GitHub (Mar 29, 2024): I've disabled all other extensions and restarted firefox. No change still the same error and still converts from http to https. Could it be some policy inside firefox?

kerem commented

https://support.mozilla.org/en-US/kb/https-only-prefs

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

It seems that firefox indeed has such a thing:

EDIT: And allows you to add some exceptions which can be useful in this case.

@MohamedBassem commented on GitHub (Mar 29, 2024): It seems that firefox indeed has such a thing: https://support.mozilla.org/en-US/kb/https-only-prefs EDIT: And allows you to add some exceptions which can be useful in this case.

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

I checked the setting, but it's currently disabled.

Content-Security-Policy has an alert about upgrading insecure request. Still looking into that "feature"

Edit: Is this set in the extension or site?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

@dyslexicjedi commented on GitHub (Mar 29, 2024): I checked the setting, but it's currently disabled. ![image](https://github.com/MohamedBassem/hoarder-app/assets/7138525/3963e13a-c7ec-4ace-ac55-e53db5d837f0) Content-Security-Policy has an alert about upgrading insecure request. Still looking into that "feature" Edit: Is this set in the extension or site? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

I'm going to throw a valid cert on that machine and see if it works. That way we can figure out if that really is the problem or not.

@dyslexicjedi commented on GitHub (Mar 29, 2024): I'm going to throw a valid cert on that machine and see if it works. That way we can figure out if that really is the problem or not.

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

I tried it through a reverse proxy with a valid https certificate, same CORS error and dialog error message. I could put a cert directly on the box if you think that would help but I don't think it would make much difference.

rob@hoarder:~$ curl --head https://hoarder.dyslexicjedi.com/api/trpc/apiKeys.exchange
HTTP/1.1 204 No Content
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 29 Mar 2024 18:46:47 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url

@dyslexicjedi commented on GitHub (Mar 29, 2024): I tried it through a reverse proxy with a valid https certificate, same CORS error and dialog error message. I could put a cert directly on the box if you think that would help but I don't think it would make much difference. ``` rob@hoarder:~$ curl --head https://hoarder.dyslexicjedi.com/api/trpc/apiKeys.exchange HTTP/1.1 204 No Content Server: nginx/1.18.0 (Ubuntu) Date: Fri, 29 Mar 2024 18:46:47 GMT Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Credentials: true vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url ```

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

Is your instance by any chance publicly accessible? Would love to test on my firefox installation.

@MohamedBassem commented on GitHub (Mar 29, 2024): Is your instance by any chance publicly accessible? Would love to test on my firefox installation.

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 29, 2024):

@dyslexicjedi Do you happen to use the Arkenfox presets for firefox?

@nickrallison commented on GitHub (Mar 29, 2024): @dyslexicjedi Do you happen to use the Arkenfox presets for firefox?

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

@MohamedBassem No sorry, it's only internal

@nickrallison No, it's Firefox packaged with Arch Linux. No real customization other than a few addons.

@dyslexicjedi commented on GitHub (Mar 29, 2024): @MohamedBassem No sorry, it's only internal @nickrallison No, it's Firefox packaged with Arch Linux. No real customization other than a few addons.

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 29, 2024):

I got a temporary instance publicly hosted here: https://hoarder.allisontech.ca/

Strangely it doesn't have the same problem. I suspect it is something to do with my HTTPS I added.

Could I add you to my tailnet perhaps @MohamedBassem? It still has the same issue, do you have an email that works?

@nickrallison commented on GitHub (Mar 29, 2024): I got a temporary instance publicly hosted here: https://hoarder.allisontech.ca/ Strangely it doesn't have the same problem. I suspect it is something to do with my HTTPS I added. Could I add you to my tailnet perhaps @MohamedBassem? It still has the same issue, do you have an email that works?

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

I'm still getting CORS issues against your public instance.

@dyslexicjedi commented on GitHub (Mar 29, 2024): I'm still getting CORS issues against your public instance.

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

Yeah, it sounds like some weird https issue. I expect that the plugin won't work with an invalid or self-signed cert. On the other hand, @dyslexicjedi tried with a valid cert and faced the same problem :)

Anyways, sent you an email (got yours from your github profile) with my tailscale email :)

@MohamedBassem commented on GitHub (Mar 29, 2024): Yeah, it sounds like some weird https issue. I expect that the plugin won't work with an invalid or self-signed cert. On the other hand, @dyslexicjedi tried with a valid cert and faced the same problem :) Anyways, sent you an email (got yours from your github profile) with my tailscale email :)

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

@dyslexicjedi Any chance it's a different CORS issue? For example, are you by any chance adding a trailing slash to the URL? :) This causes a CORS issue but a different one. A one that I already fixed in the extension version 1.1.1 :)

I'm not getting any CORS issues in the public instance on firefox.

@MohamedBassem commented on GitHub (Mar 29, 2024): @dyslexicjedi Any chance it's a different CORS issue? For example, are you by any chance adding a trailing slash to the URL? :) This causes a CORS issue but a different one. A one that I already fixed in the extension version 1.1.1 :) I'm not getting any CORS issues in the public instance on firefox.

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

So I was messing around with my nginx reverse proxy and CORS..... and I got it to work.

My config:

server {
  listen 0.0.0.0:443 ssl;
  server_name hoarder.dyslexicjedi.com;

  include ssl.conf;

  location / {
    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Con>
      add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }
    proxy_pass http://10.0.10.118:3000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  }
}

@dyslexicjedi commented on GitHub (Mar 29, 2024): So I was messing around with my nginx reverse proxy and CORS..... and I got it to work. My config: ``` server { listen 0.0.0.0:443 ssl; server_name hoarder.dyslexicjedi.com; include ssl.conf; location / { if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Con> add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } proxy_pass http://10.0.10.118:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ```

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

I managed to repro the issue on @nickrallison's private instance (over tailscale). Basically CORS is failing because SSL is failing with SSL_ERROR_RX_RECORD_TOO_LONG. This error means we're trying to talk SSL over an HTTP only port.

You can repro this error by opening the https://100.98.101.100:23000/signin in a tab. (Notice that https is the protocol which is talking directly to hoarder's port). So it's definitely an SSL/HTTPs issue and using a valid certificate should solve this issue.

Now, the question remains. Why tf is firefox forcing an upgrade to https :)

@MohamedBassem commented on GitHub (Mar 29, 2024): I managed to repro the issue on @nickrallison's private instance (over tailscale). Basically CORS is failing because SSL is failing with `SSL_ERROR_RX_RECORD_TOO_LONG`. This error means we're trying to talk SSL over an HTTP only port. <img width="1323" alt="Screenshot 2024-03-29 at 11 10 42 PM" src="https://github.com/MohamedBassem/hoarder-app/assets/2418637/c14c4c6d-c3da-4b94-b056-20c08af5efe6"> You can repro this error by opening the `https://100.98.101.100:23000/signin` in a tab. (Notice that https is the protocol which is talking directly to hoarder's port). So it's definitely an SSL/HTTPs issue and using a valid certificate should solve this issue. Now, the question remains. Why tf is firefox forcing an upgrade to https :)

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 29, 2024):

So I was messing around with my nginx reverse proxy and CORS..... and I got it to work.

@dyslexicjedi You're kinda sending the same headers that the server is already sending :D Did you try the combo of "valid cert + no trailing slash) without this hack?

@MohamedBassem commented on GitHub (Mar 29, 2024): > So I was messing around with my nginx reverse proxy and CORS..... and I got it to work. @dyslexicjedi You're kinda sending the same headers that the server is already sending :D Did you try the combo of "valid cert + no trailing slash) without this hack?

kerem commented

Author

Owner

@dyslexicjedi commented on GitHub (Mar 29, 2024):

Yes, valid cert with no trailing slash was still failing. Only the nginx hack fixed it, but then again based on what you said previously. Firefox is communicating over a valid SSL cert to nginx and nginx is communicating over standard http to hoarder. so it's possible that nginx is solving the firefox SSL upgrade problem somehow. (not sure that made sense, but it kinda does in my head.)

@dyslexicjedi commented on GitHub (Mar 29, 2024): Yes, valid cert with no trailing slash was still failing. Only the nginx hack fixed it, but then again based on what you said previously. Firefox is communicating over a valid SSL cert to nginx and nginx is communicating over standard http to hoarder. so it's possible that nginx is solving the firefox SSL upgrade problem somehow. (not sure that made sense, but it kinda does in my head.)

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 30, 2024):

Ok, I have a minimal repro that's irrelevant to Hoarder server.

Start a local python server with python3 -m http.server 8000
Get your local lan IP
In the extension, use http://<local_lan_ip>:8000 as the server address
Use any username and password.
You'll get the same CORS error we've been debugging, and the python server will receive some SSL garbage.

Notice, that if you use localhost or 127.0.0.1, firefox won't upgrade the request to https.

It seems that firefox addons upgrades ANY http request to https regardless of the website. I don't know why this is happening to be honest. The next suspect would be maybe something in the plugin code itself? I'll check.

@MohamedBassem commented on GitHub (Mar 30, 2024): Ok, I have a minimal repro that's irrelevant to `Hoarder` server. - Start a local python server with `python3 -m http.server 8000` - Get your local lan IP - In the extension, use `http://<local_lan_ip>:8000` as the server address - Use any username and password. - You'll get the same CORS error we've been debugging, and the python server will receive some SSL garbage. Notice, that if you use `localhost` or `127.0.0.1`, firefox won't upgrade the request to https. It seems that firefox addons upgrades ANY http request to https regardless of the website. I don't know why this is happening to be honest. The next suspect would be maybe something in the plugin code itself? I'll check.

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 30, 2024):

I got it working, it was not the fix i would like but I forwarded my domain to a second local Nginx instance on a VM so not publicly. After adding https it works like it's meant to. Thanks for all the support, I'm content with a band-aid fix for now

@nickrallison commented on GitHub (Mar 30, 2024): I got it working, it was not the fix i would like but I forwarded my domain to a second local Nginx instance on a VM so not publicly. After adding https it works like it's meant to. Thanks for all the support, I'm content with a band-aid fix for now

kerem commented

Author

Owner

@nickrallison commented on GitHub (Mar 30, 2024):

Perhaps another band aid would be a disclaimer to firefox users and the advice to host it publicly and disable sign ups once issue #52 gets resolved

@nickrallison commented on GitHub (Mar 30, 2024): Perhaps another band aid would be a disclaimer to firefox users and the advice to host it publicly and disable sign ups once issue #52 gets resolved

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Mar 30, 2024):

You don't actually need to host it publicly. You just need to have a valid certificate. You can get valid certs for non public domains with DNS challenge in Lets Encrypt. Most of my homelab is non-public (only via tailscale) and has valid certs.

EDIT: #52 is a misunderstanding :) DISABLE_SIGNUPS works.
EDIT 2: I think the disclaimer would be: "If you're planning to use the firefox extension, your service needs to be served over https and have valid certs".

@MohamedBassem commented on GitHub (Mar 30, 2024): You don't actually need to host it publicly. You just need to have a valid certificate. You can get valid certs for non public domains with DNS challenge in Lets Encrypt. Most of my homelab is non-public (only via tailscale) and has valid certs. EDIT: #52 is a misunderstanding :) DISABLE_SIGNUPS works. EDIT 2: I think the disclaimer would be: "If you're planning to use the firefox extension, your service needs to be served over https and have valid certs".

kerem commented

Author

Owner

@alejoar commented on GitHub (Apr 6, 2024):

I'm facing this same issue (confirmed looking at the extension console logs) and hosting through cosmos with a custom domain. The site is publicly accessible with https.

Any tips on how to fix it with this setup?

@alejoar commented on GitHub (Apr 6, 2024): I'm facing this same issue (confirmed looking at the extension console logs) and hosting through cosmos with a custom domain. The site is publicly accessible with https. Any tips on how to fix it with this setup?

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Apr 6, 2024):

@alejoar if you're using cosmos, you might want to check the custom CORS header configuration. Check https://github.com/MohamedBassem/hoarder-app/issues/51 for details on how we debug a previous instance with cosmos.

@MohamedBassem commented on GitHub (Apr 6, 2024): @alejoar if you're using cosmos, you might want to check the custom CORS header configuration. Check https://github.com/MohamedBassem/hoarder-app/issues/51 for details on how we debug a previous instance with cosmos.

kerem commented

Author

Owner

@alejoar commented on GitHub (Apr 6, 2024):

@MohamedBassem amazing, that worked, thank you!

@alejoar commented on GitHub (Apr 6, 2024): @MohamedBassem amazing, that worked, thank you!

kerem commented

Author

Owner

@lucius346346 commented on GitHub (Apr 19, 2024):

Is there any plan for fixing this? Setting up SSL for just that would be a hassle?

@lucius346346 commented on GitHub (Apr 19, 2024): Is there any plan for fixing this? Setting up SSL for just that would be a hassle?

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Apr 19, 2024):

@lucius346346 to be honest, I'm not entirely sure if this something that can be "fixed" or if it's a firefox restriction that can't be bypassed. So far, I didn't find any reference online stating this requirement and I'm not entirely sure what needs to be fixed.

@MohamedBassem commented on GitHub (Apr 19, 2024): @lucius346346 to be honest, I'm not entirely sure if this something that can be "fixed" or if it's a firefox restriction that can't be bypassed. So far, I didn't find any reference online stating this requirement and I'm not entirely sure what needs to be fixed.

kerem commented

Author

Owner

@axsddlr commented on GitHub (Apr 27, 2024):

having same issue on both chrome, edge, waterfox and firefox. ios app works fine

@axsddlr commented on GitHub (Apr 27, 2024): having same issue on both chrome, edge, waterfox and firefox. ios app works fine

kerem commented

Author

Owner

@kamtschatka commented on GitHub (May 24, 2024):

So I found the solution here: https://discourse.mozilla.org/t/mv3-default-csp-override-upgrade-insecure-requests/110443
There is a default Content Security Policy applied in Firefox: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
I have created a PR: https://github.com/hoarder-app/hoarder/pull/178

I tried it out locally and could confirm that it works (using the published extension and modifying it)

I also tried the local build but that did not work, as the build seems to output invalid manifest versions for Firefox. @MohamedBassem maybe we can talk in Discord to get this fixed? the dev build does not seem to work and the "build" target seems to not include the js file in the index.html?

@kamtschatka commented on GitHub (May 24, 2024): So I found the solution here: https://discourse.mozilla.org/t/mv3-default-csp-override-upgrade-insecure-requests/110443 There is a default Content Security Policy applied in Firefox: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy I have created a PR: https://github.com/hoarder-app/hoarder/pull/178 I tried it out locally and could confirm that it works (using the published extension and modifying it) I also tried the local build but that did not work, as the build seems to output invalid manifest versions for Firefox. @MohamedBassem maybe we can talk in Discord to get this fixed? the dev build does not seem to work and the "build" target seems to not include the js file in the index.html?

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (May 25, 2024):

@kamtschatka this is a great find! I didn't know that firefox adds upgrade-insecure-requests to CSP, and it's not even documented in their docs!

Regarding the local build, pnpm run dev doesn't seem to work with firefox, but pnpm run build does work. You need to follow this link to install the extenion.

@MohamedBassem commented on GitHub (May 25, 2024): @kamtschatka this is a great find! I didn't know that firefox adds `upgrade-insecure-requests` to CSP, and it's not even documented in their docs! Regarding the local build, `pnpm run dev` doesn't seem to work with firefox, but `pnpm run build` does work. You need to follow [this link](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Your_first_WebExtension#installing) to install the extenion.

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (May 25, 2024):

I've just released v1.2.1 to the mozilla store with @kamtschatka. If anyone was facing this problem, please give it a shot and let us know how it goes.
Once again, thanks a ton @kamtschatka for tracking and fixing this long standing problem!

@MohamedBassem commented on GitHub (May 25, 2024): I've just released v1.2.1 to the mozilla store with @kamtschatka. If anyone was facing this problem, please give it a shot and let us know how it goes. Once again, thanks a ton @kamtschatka for tracking and fixing this long standing problem!

kerem commented

Author

Owner

@MRDGH2821 commented on GitHub (Aug 5, 2024):

I'm having trouble getting the extension working unfortunately.

I am using Cosmos Cloud to manage my services, but for Hoarder, I directly used compose files to launch instead of adding it in Cosmos Cloud then launching.

After that I added subdomain, put * in CORS policy setting of Cosmos, disabled HTTPS-only setting of firefox, but can't get it working.

The app works without a problem.

This is command output from server:

And this is command output from WSL2 (I don't have any other linux device)

That one thing which is bothering me is duplicate headers.

Hoarder Version: 0.15.0
App version 1.6.0
Extension Version: 1.2.1

@MRDGH2821 commented on GitHub (Aug 5, 2024): I'm having trouble getting the extension working unfortunately. I am using Cosmos Cloud to manage my services, but for Hoarder, I directly used compose files to launch instead of adding it in Cosmos Cloud then launching. After that I added subdomain, put `*` in CORS policy setting of Cosmos, disabled `HTTPS-only` setting of firefox, but can't get it working. ![image](https://github.com/user-attachments/assets/460bcf4f-53f1-491f-9160-91ed34c9f88f) The app works without a problem. This is command output from server: ![image](https://github.com/user-attachments/assets/450a815d-619a-4635-bb88-936297af64e7) And this is command output from WSL2 (I don't have any other linux device) ![image](https://github.com/user-attachments/assets/8a1e7b97-a2cd-4fec-be74-5f9f922bb714) That one thing which is bothering me is duplicate headers. Hoarder Version: 0.15.0 App version 1.6.0 Extension Version: 1.2.1

kerem commented