Firefox misreports a CORS error

3 views
Skip to first unread message

Gregory Neil Jansen

unread,
Oct 21, 2020, 12:22:50 PM10/21/20
to trell...@googlegroups.com
Hey all,
A few notes on running the docker quarkus image, trellisldp/trellis-postgresql:0.16.1, for my recent Firefox front end GUI testing. I am writing a Vue app that makes XHR requests to the Trellis backend on a different port. Since these requests are CORS enabled, it seems like Firefox reports many different issues as CORS related, even when they are not.

After finally testing the GUI in Chromium, I found one such problem, which was that my big TIFF image POST request exceeded the max body size in Quarkus HTTP. After adding the necessary environment variable in docker-compose.yml, it started working.

QUARKUS_HTTP_LIMITS_MAX_BODY_SIZE: "10G"

I also found that Firefox wanted this setting, even though I do not *think* that my XHR requests are using any credentials:

QUARKUS_HTTP_CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS: "true"

Finally, the docker image did not start normally for me, at least until I re-added this setting that is present for trellis testing:

MP_JWT_VERIFY_PUBLICKEY_LOCATION: "https://www.trellisldp.org/tests/jwks.json"

This public key does not belong to me, but it works for my tests. I think we need to document some setup steps for this, since it doesn't work (for me) "out of the box" anymore.

all the best from North Carolina,
Greg

--
Gregory N. Jansen
Research Software Architect
Advanced Information Collaboratory
School of Information Studies
University of Maryland in College Park

Aaron Coburn

unread,
Oct 23, 2020, 10:41:36 PM10/23/20
to trell...@googlegroups.com
Hi Greg,
This is all really helpful information. The JWKS location is due to the Smallrye library becoming more strict about defining a valid JWKS URL.
I *thought* we were running weekly tests on the docker containers, which would have caught something like this. Turns out the cron job for this was still tied to the "master" branch, which now no longer exists; the default branch is now "main".

In any case, I could definitely replicate what you were seeing in the automated docker tests (which have now been fixed up), so we should add some clearer documentation around the JWT public key. And while using that public key works for your tests, you should *never* rely on it. First, you have no control over the key, and second, the private portion of that keypair is included in the Trellis codebase (for testing: so that signed JWTs can be generated and then verified by a remote JWKS resource).

Cheers,
Aaron



--
You received this message because you are subscribed to the Google Groups "Trellis LDP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trellis-ldp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trellis-ldp/CAK8%2BkyLLZOkzfd4Dc89x%2BaNF%2B5Gu-QndQdU45WOLygfKh4U6Vw%40mail.gmail.com.

Gregory Neil Jansen

unread,
Oct 26, 2020, 10:17:47 PM10/26/20
to trell...@googlegroups.com
Glad that this was helpful. I knew it was something in a recent docker image that had changed, so I did some sleuthing before sending email.
Greg

Reply all
Reply to author
Forward
0 new messages