openvsx: error: CORS request did not succeed

@SpacingBat3 thanks for the feedback

For the --disable-web-security flag, since to disable the security for the whole IDE (including the extensions) is a little over the top, I’m against to make it the default.

It’s a server’s configuration issue and from the client standpoint, the main components haven’t much changed from 1.57.1 to 1.58.0:

• Chromium: same 89.0.4389.128
• Electron: 12.0.7 -> 12.0.13
• Node: same 14.16.0

Some unforeseen circumstances have delayed us from fixing this, but please be aware that it is the number 1 priority for us with Open VSX now and will proceed from there.

Code - OSS (that VS Code but compiled from source thing) doesn’t work, though. Here’s my product.json: { "nameShort": "Code - OSS", "nameLong": "Code - OSS", "applicationName": "code-oss", "dataFolderName": ".vscode-oss", "win32MutexName": "vscodeoss", "licenseName": "MIT", "licenseUrl": "https://github.com/microsoft/vscode/blob/main/LICENSE.txt", "win32DirName": "Microsoft Code OSS", "win32NameVersion": "Microsoft Code OSS", "win32RegValueName": "CodeOSS", "win32AppId": "{{E34003BB-9E10-4501-8C11-BE3FAA83F23F}", "win32x64AppId": "{{D77B7E06-80BA-4137-BCF4-654B95CCEBC5}", "win32arm64AppId": "{{D1ACE434-89C5-48D1-88D3-E2991DF85475}", "win32UserAppId": "{{C6065F05-9603-4FC4-8101-B9781A25D88E}", "win32x64UserAppId": "{{CC6B787D-37A0-49E8-AE24-8559A032BE0C}", "win32arm64UserAppId": "{{3AEBF0C8-F733-4AD4-BADE-FDB816D53D7B}", "win32AppUserModelId": "Microsoft.CodeOSS", "win32ShellNameShort": "C&ode - OSS", "darwinBundleIdentifier": "com.visualstudio.code.oss", "linuxIconName": "com.visualstudio.code.oss", "licenseFileName": "LICENSE.txt", "reportIssueUrl": "https://github.com/microsoft/vscode/issues/new", "urlProtocol": "code-oss", "webviewContentExternalBaseUrlTemplate": "https://{{uuid}}.vscode-webview.net/{{quality}}/{{commit}}/out/vs/workbench/contrib/webview/browser/pre/", "extensionAllowedProposedApi": ["ms-vscode.vscode-js-profile-flame", "ms-vscode.vscode-js-profile-table", "ms-vscode.remotehub", "ms-vscode.remotehub-insiders", "GitHub.remotehub", "GitHub.remotehub-insiders"], "extensionsGallery": { "serviceUrl": "https://open-vsx.org/vscode/gallery", "itemUrl": "https://open-vsx.org/vscode/item" }, "linkProtectionTrustedDomains": ["https://open-vsx.org"], "builtInExtensions": [{ "name": "ms-vscode.node-debug", "version": "1.44.32", "repo": "https://github.com/microsoft/vscode-node-debug", "metadata": { "id": "b6ded8fb-a0a0-4c1c-acbd-ab2a3bc995a6", "publisherId": { "publisherId": "5f5636e7-69ed-4afe-b5d6-8d231fb3d3ee", "publisherName": "ms-vscode", "displayName": "Microsoft", "flags": "verified" }, "publisherDisplayName": "Microsoft" } }, { "name": "ms-vscode.node-debug2", "version": "1.42.10", "repo": "https://github.com/microsoft/vscode-node-debug2", "metadata": { "id": "36d19e17-7569-4841-a001-947eb18602b2", "publisherId": { "publisherId": "5f5636e7-69ed-4afe-b5d6-8d231fb3d3ee", "publisherName": "ms-vscode", "displayName": "Microsoft", "flags": "verified" }, "publisherDisplayName": "Microsoft" } }, { "name": "ms-vscode.references-view", "version": "0.0.80", "repo": "https://github.com/microsoft/vscode-references-view", "metadata": { "id": "dc489f46-520d-4556-ae85-1f9eab3c412d", "publisherId": { "publisherId": "5f5636e7-69ed-4afe-b5d6-8d231fb3d3ee", "publisherName": "ms-vscode", "displayName": "Microsoft", "flags": "verified" }, "publisherDisplayName": "Microsoft" } }, { "name": "ms-vscode.js-debug-companion", "version": "1.0.14", "repo": "https://github.com/microsoft/vscode-js-debug-companion", "metadata": { "id": "99cb0b7f-7354-4278-b8da-6cc79972169d", "publisherId": { "publisherId": "5f5636e7-69ed-4afe-b5d6-8d231fb3d3ee", "publisherName": "ms-vscode", "displayName": "Microsoft", "flags": "verified" }, "publisherDisplayName": "Microsoft" } }, { "name": "ms-vscode.js-debug", "version": "1.59.0", "repo": "https://github.com/microsoft/vscode-js-debug", "metadata": { "id": "25629058-ddac-4e17-abba-74678e126c5d", "publisherId": { "publisherId": "5f5636e7-69ed-4afe-b5d6-8d231fb3d3ee", "publisherName": "ms-vscode", "displayName": "Microsoft", "flags": "verified" }, "publisherDisplayName": "Microsoft" } }, { "name": "ms-vscode.vscode-js-profile-table", "version": "0.0.18", "repo": "https://github.com/microsoft/vscode-js-profile-visualizer", "metadata": { "id": "7e52b41b-71ad-457b-ab7e-0620f1fc4feb", "publisherId": { "publisherId": "5f5636e7-69ed-4afe-b5d6-8d231fb3d3ee", "publisherName": "ms-vscode", "displayName": "Microsoft", "flags": "verified" }, "publisherDisplayName": "Microsoft" } }], "date": "2021-08-09T15:10:39.340Z", "checksums": { "vs/base/parts/sandbox/electron-browser/preload.js": "HFNGobD8qQbCdCfqvVVY5A", "vs/workbench/workbench.desktop.main.js": "yQiZWsDlSkAgsBTKQU1cgw", "vs/workbench/workbench.desktop.main.css": "KMkDvr7qWs/pxY6PFMTJYg", "vs/workbench/services/extensions/node/extensionHostProcess.js": "HbpthGdCn6UF8/uWKqSh6A", "vs/code/electron-browser/workbench/workbench.html": "oUELX9mVAjhdP0ND63vLsA", "vs/code/electron-browser/workbench/workbench.js": "TVGTgn9CDp2PQsoXUHdEsQ" } }

VSCodium-v1.59.x will include a patch to disable the CORS validation (which was added in 1.58.0).

@brianking @spoenemann is there any update to this critical/fundamental issue?

The issue affects all eclipse-theia based cloud applications, vscodium, gitpod and potentially other vscode compatible applications. I attempted a fix for the issue in the past (https://github.com/eclipse/openvsx/pull/292) and I believe the spring endpoints are properly configured. Someone with a greater understanding of the infrastructure (and possibly nginx, proxy) should likely take a look at what the root cause might be.

cc @marcdumais-work @paul-marechal

Call me crazy, but shouldn’t this be fixed already? Shouldn’t take long, and the issue is on the openvsx side (they dont have CORS headers properly set up). CORS is not mysterious.

I’ve found the change: https://github.com/microsoft/vscode/blob/1.58.0/src/main.js#L177 There is a work around but that option will be removed next month.

Hopefully, open-vsx.org will fully support CORS by then

@eclipsewebmaster here’s a Bash command that inspects headers for the public instance of Open VSX:

curl \
    --dump-header - \
    --header 'Content-Type: application/json' \
    --header 'Origin: https://some-domain.com' \
    --data '{"extensionId":"patate"}' \
    --request POST 'https://open-vsx.org/api/-/query' \
    --stderr /dev/null | \
    grep -i 'Access-Control-Allow-Origin'

As long as grep doesn’t return Access-Control-Allow-Origin: * the problem is not fixed.

edit: Hopefully this helped you enough despite being wrong… edit: Fixed case sensitivity as the server responds with lowercased access-control-allow-origin:. edit: Added a placeholder Origin: header.

Please do something about this issue. It has effectively rendered the marketplace in open-source builds of VSCode unusable. If the whole “open marketplace” experiment does not work out, users will have no choice but to go back to proprietary builds of VSCode.

@ocelotsloth VSCodium is disabling the CORS check until OpenVSX fully support them. The Spring component is fully generating the CORS headers but they are dropped by their front-end servers.

Seems to work now, see https://github.com/EclipseFdn/open-vsx.org/issues/633

start looking into next week

Can we step the timeline up? This is a pretty fundamental problem for application users.

I’m unable to check for extension upgrades in version 1.58.0-1 of the archlinux code package, which (to the best of my knowledge) uses openvsx.

Here’s the error message in the developer tools:

The error message makes me think some important header is missing in the response from open-vsx.org, which is why I came here instead of the archlinux bugtracker.

@eclipsewebmaster I expected the server to respond with * no matter what so I also missed the Origin header… This is my bad.

Testing now from different origins seems to work fine: the Acces-Control-Allow-Origin: field copies what was passed as Origin: which gets rid of the CORS issues!

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives the * directive is useful for requests made without credentials. Depending on how the API is meant to be accessed the current behavior of copying the declared Origin: might be fine? Just not sure what’s the best course of action here.

edit: Testing now I see that without an Origin header access-control-allow-origin: * is returned.

is not returning the access-control-allow-origin: * header when no Origin is specified (please see earlier comments).

@eclipsewebmaster yes, that’s normal.

Everything looks to be working in my vscode install. 😃

Since VSCode v1.60, this issue has become a catastrophic issue. The path to load the resources with node has been completely removed. So no easy patch. I’ve put on hold VSCodium v1.60 until a complete fix of the issue.

Seems #284 pull request is being relevant to this issue.

Also, using this extension on Firefox I was able to bypass CORS limitations and successfully get correct answer from the server using the function typed above. Without the extension, CORS configuration fails at the same error as well. So the current workaround (client-side) would be to bypass the CORS configuration the same way the extension does. As VSCode and VSCodium are Electron-based, even the same extension could be injected into VSCodium as a proof of concept (or even analyze the extension and develop similar method of bypassing CORS, as following extension has it’s code non-minified and well commented published on GitHub).

EDIT: I’ve read VSCodium issues and actually forgot about Chromium flags, so it is much simplier just to use flag with commandLine.appendSwitch() API to programatically control VSCodium behaviour about CORS server policy.

Thanks! Installing CORS Ublock fixed it for me on Mac.

@madupuis90 Here at https://github.com/VSCodium/vscodium/issues/746#issuecomment-881049046

Seems like something have been changed from client side to validate the CORS policy. I will check that.

If I have time, I will check how to configure CORS with Spring. It’s been years that I haven’t any Java dev and much more with Spring…