Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub API does not include user-agent in Access-Control-Allow-Headers #817

Closed
flaki opened this issue Mar 18, 2018 · 6 comments
Closed

GitHub API does not include user-agent in Access-Control-Allow-Headers #817

flaki opened this issue Mar 18, 2018 · 6 comments
Labels
Type: Bug Something isn't working as documented

Comments

@flaki
Copy link

flaki commented Mar 18, 2018

Unless I'm missing something, this issue seems to be mildly related to #758 (except that it affects api.github.com).

It seems browsers are blocking the CORS pre-flight request if a User-Agent is present in the request headers and the server doesn't explicitly list user-agent as a modifiable property in the returned response's Access-Control-Allow-Headers header. This seems to be a rather recent addition to the spec (the ability to change the User Agent, and thus the requirement for opt-in). This has already landed in Firefox 43, is in the works for Chrome.

gh-api-cors

Source code used:

const octokit = new Octokit({})

console.log('authenticating with', octokit)
await octokit.authenticate({
  type: 'oauth',
  token: private_token
})

const fork = await octokit.repos.fork({
  owner: 'mdn',
  repo: 'browser-compat-data'
})
console.log(fork)

})

Octokit version: v15.2.4
@gr2m
Copy link
Contributor

gr2m commented Mar 18, 2018

👋 @flaki

thanks a lot for the heads up, I was able to reproduce the issue in Firefox. I’ll check in with GitHub’s API team

@gr2m gr2m added the Type: Bug Something isn't working as documented label Mar 18, 2018
@gr2m
Copy link
Contributor

gr2m commented Mar 18, 2018

For clarification, here is what we mean

$ curl -XOPTIONS -i https://api.github.com/
HTTP/1.1 204 No Content
Date: Sun, 18 Mar 2018 17:49:29 GMT
Content-Type: application/octet-stream
Server: GitHub.com
Status: 204 No Content
Access-Control-Expose-Headers: ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Accept-Encoding, X-GitHub-OTP, X-Requested-With
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; img-src 'self' data: assets-cdn.github.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com collector.githubapp.com avatars0.githubusercontent.com avatars1.githubusercontent.com avatars2.githubusercontent.com avatars3.githubusercontent.com github-cloud.s3.amazonaws.com; manifest-src 'self'; media-src 'none'; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com; worker-src 'self'
X-Runtime-rack: 0.004512
Vary: Accept-Encoding
X-GitHub-Request-Id: EF62:89FF:226BC3B:2C23EE7:5AAEA6A9

The Access-Control-Allow-Headers header should include User-Agent in order for Octokit to be usable in browsers the follow the fetch specification. Octokit is currently unusable in latest Firefox and Safari, and will be unusable in Chrome soon.

@bkeepers
Copy link

I've reported this to the GitHub API team and will let you know if there are any updates.

@bkeepers
Copy link

bkeepers commented Mar 21, 2018
edited
Loading

This is shipped!

$ curl -XOPTIONS -i https://api.github.com/ | grep Access-Control
Access-Control-Expose-Headers: ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Accept-Encoding, X-GitHub-OTP, X-Requested-With, User-Agent
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
Access-Control-Allow-Origin: *

@gr2m
Copy link
Contributor

gr2m commented Mar 21, 2018

That was fast, thanks! I double checked and things are working now. Let us know if something is still funky in Firefox @flaki. Thanks again for the report 🙏

@gr2m gr2m closed this as completed Mar 21, 2018
@flaki
Copy link
Author

flaki commented Mar 21, 2018

Fantastic turnaround, thanks so much! 💖

@sohkai sohkai mentioned this issue Jun 19, 2018
Closed
@ovanwijk ovanwijk mentioned this issue Oct 25, 2018
Closed
@kvhnuke kvhnuke mentioned this issue Feb 13, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Something isn't working as documented
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bkeepers @gr2m @flaki