Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS Error #151

Open
MalteJac opened this issue Jul 29, 2022 · 1 comment
Open

CORS Error #151

MalteJac opened this issue Jul 29, 2022 · 1 comment

Comments

@MalteJac
Copy link

MalteJac commented Jul 29, 2022
edited

Hey, similar to #50 I am not able to send a proper request to get an Azure Bearer Token, which works absolutely fine with PostMan. I activated the addon usage (Firefox) in the Hoppscotch setting. I'm not self-hosting, thus using https://hoppscotch.io/

"error_description": "AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'moz-extension://abxxxxxxxxxxxxxxxxxxxxxxxxxxxx92'.\r\nTrace ID: 3xxxxxxxxxxxxxxxxxxxxxxxxx0\r\nCorrelation ID: exxxxxxxxxxxxxxxxxxxxxxxxxxx8\r\nTimestamp: 2022-07-29 10:00:32Z",


from MS docs:
> The application must fix either the reply URIs registered on the application registration to include a unique reply address of type "spa", or they must fix the token request to not include an Origin header, if being sent from a non-browser client.
@ynyyn
Copy link

ynyyn commented Dec 15, 2023
edited

Yes, I'm experiencing the same issue as well. And I've managed to figure out the cause and have successfully resolved it.

Today is my first day to Hoppscotch and I found when using Hoppscotch via hoppscotch.io in Firefox 120 with browser extension 0.28 (December 14, 2023) as middleware activated, the requests sent from Hoppscotch would still have the Origin header with value moz-extension://....

We may confirm this by sending request to echo.hoppscotch.io or httpbin to examine the actual header sent.

bad origin with moz-extension

... So, it could still trigger CORS restriction. Hmm... Did I miss any settings?

I couldn't find any useful information in the documentation or the issues. It's highly likely that this issue is specific to Firefox, which is used by few people, so it's not surprising to see that there isn't much feedback.

After some research, I found this issue relates to Firefox security policy.

The issue is about host permissions, in MV3, they’re not granted automatically on install, but instead user needs to grant them at some point.
https://discourse.mozilla.org/t/can-not-use-cross-origin-requests-from-an-mv3-addon-background-script-on-nightly-v102/97603

This made me understand why.

It turn out that before sending the request in Hoppscotch, I had to open the target site (domain, host) in a new tab and right-click on the extension to authorize "Extension Can Read and Change Data: Always allow on <host>" to the extension.

authorize the extension

Only after that, the request sent in Hoppscotch will not be cross-site.

Finally, I realized that it is possible to grant the extension access to ALL websites in Add-ons Preference page (about:addons) manually.

Grant the extension access to ALL websites in Add-ons Preference

Hope this helps.

Maybe it would be nice if we could include a note about this issue in the documentation, README, or description in the market.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ynyyn @MalteJac