Parity rejects MetaMask's `x-metamask-origin` header, and consequently all MetaMask/Firefox requests, during CORS preflight | paritytech Funded Issue Detail | Gitcoin

The Web3 World Virtual Hackathon runs October 28th to November 11th - Check out the Details. ×

Grow Open Source

Cookies disclaimer

Back to Issue Explorer

Time left

Opened

Issue Type

Workers Auto Approve

Project Type

Time Commitment

Experience Level

Permissions

Accepted

Reserved For

Description

Contributors

Work Started

Work Submitted

Work Paid

All Activity

Funder

Funder :

Email :

Parity rejects MetaMask's `x-metamask-origin` header, and consequently all MetaMask/Firefox requests, during CORS preflightparitytechparity, paritytech, Rust, Shell, C++, Swift, NSIS, CI'm running: - **Parity version**: 1.6.10 - **Operating system**: Linux - **And installed**: via `parity/parity:stable` Docker image When using MetaMask 3.10.8 on Firefox 55 on Windows 7, pointed at my Parity node running on another Ubuntu machine, I observe an HTTP exchange that goeth thusly: ``` OPTIONS / HTTP/1.1 Host: 10.1.0.8:8545 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type,x-metamask-origin Origin: moz-extension://c2480724-8a32-4afc-a7aa-c1d18a8bf229 Connection: keep-alive HTTP/1.1 200 OK Content-Type: application/json Allow: OPTIONS, POST Access-Control-Allow-Headers: origin, content-type, accept Access-Control-Allow-Origin: moz-extension://c2480724-8a32-4afc-a7aa-c1d18a8bf229 Date: Mon, 02 Oct 2017 00:58:04 GMT Transfer-Encoding: chunked ``` This is a CORS preflight for an actual request, but the actual request is never sent. MetaMask wants to send an `x-metamask-origin` header with its request, giving the actual page (as opposed to `moz-extension://c2480724-8a32-4afc-a7aa-c1d18a8bf229`) that it is proxying requests for. Presumably this is so that you could potentially configure your node to handle requests only for certain duly authorized actual page origins, even when using MetaMask. Parity doesn't seem to know about this header, and in particular is not returning it in the `Access-Control-Allow-Headers`. According to the CORS spec, that means that the browser must not permit a request to be made with that header on it. MetaMask (on Firefox, at least) insists on trying to send the header, so Firefox blocks its request altogether. The net result of all this is that MetaMask on Firefox does not work with a Parity node as the backend. For maximum compatibility, Parity should echo back all the headers from `Access-Control-Request-Headers` in `Access-Control-Allow-Headers`. There could be a blacklist of headers that web pages should be prohibited from sending, but I don't think Parity trusts the RPC headers at all anyway, so I can't think of a reason not to just let pages send whatever they want. This is related to https://github.com/MetaMask/metamask-extension/issues/1779. It can be fixed in MetaMask with https://github.com/MetaMask/metamask-extension/pull/2250 to have MetaMask not send the header, or https://github.com/MetaMask/metamask-extension/pull/2138 to just ignore/skip the CORS preflight (as long as the Parity instance you are using is running on one of the domains mentioned in the MetaMask manifest). However, Parity should also fix it; you never know what `x-` headers a client is going to want to send.

2019 September 19 - Gitcoin's Virtual Hackathon series has distributed over $400k to hackers across the world. Learn more

Cookies disclaimer

Transaction Processing

Work with ${user} again on your next bounty ?

No funded issue found.