You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While testing/demoing one of our apps in PSDC we noticed that while Chrome/ium was managing to load a 3rd party spreadsheet both Firefox and Safari were completely broken at the headers and permissions headers.
We use code from a worker which requires SharedArrayBuffer and while we managed to enable it, all requests were blocked by the browsers.
To Reproduce
importrequestsfromtypingimportUnion, OptionalfromxlrdimportBookfromxlrd.sheetimportSheet# Sync Callsfrompyodide_httpimportpatch_requestsdefextract():
""" do stuff """defsync_load(data_url: str, sheet_name: str=None) ->Optional[Union[Book, Sheet]]:
""""""patch_requests() # patch requests and r=requests.get(data_url)
ifr.status_code!=200: # Not OKreturnNonereturnextract(r.content, sheet_name=sheet_name)
The error in Safari is about headers messed up
[Error] Refused to set unsafe header "Accept-Encoding"
[Error] Refused to set unsafe header "Connection"
[Error] Preflight response is not successful. Status code: 403
[Error] Failed to load resource: Preflight response is not successful. Status code: 403 (sample_workbook.xls, line 0)
[Error] XMLHttpRequest cannot load https://raw.githubusercontent.com/XXX/sample_workbook.xls due to access control checks.
[Error] Failed to load resource: Preflight response is not successful. Status code: 403 (sample_workbook.xls, line 0)
ending up in pyodide as A network error occurred.
Expected behavior
If we change the code to use XHR out of the box everything works without issues and no network warning is ever shown:
There are a lot of headers manipulation but in some cases browsers really don't like user-land code messing up with security related server defined headers so that override mime type, as example, can be considered insecure as well as anything else that would not otherwise be part already of the predefined headers.
I hence suggest to allow something like patch_requests(ignore_headers=True) so that nothing is changed but I am also not sure why non worker env should change anything at mime type expectations ... although I think that in our case that value is True.
Environment
Browser version: breaks in Safari latest and Firefox latest
The text was updated successfully, but these errors were encountered:
This was erroneously opened in here pyodide/pyodide#4191
馃悰 Bug
While testing/demoing one of our apps in PSDC we noticed that while Chrome/ium was managing to load a 3rd party spreadsheet both Firefox and Safari were completely broken at the headers and permissions headers.
We use code from a worker which requires SharedArrayBuffer and while we managed to enable it, all requests were blocked by the browsers.
To Reproduce
The error in Safari is about headers messed up
ending up in pyodide as
A network error occurred.
Expected behavior
If we change the code to use XHR out of the box everything works without issues and no network warning is ever shown:
I suspect the error is somewhere in here: https://github.com/koenvo/pyodide-http/blob/main/pyodide_http/_core.py#L75
There are a lot of headers manipulation but in some cases browsers really don't like user-land code messing up with security related server defined headers so that override mime type, as example, can be considered insecure as well as anything else that would not otherwise be part already of the predefined headers.
I hence suggest to allow something like
patch_requests(ignore_headers=True)
so that nothing is changed but I am also not sure why non worker env should change anything at mime type expectations ... although I think that in our case that value isTrue
.Environment
The text was updated successfully, but these errors were encountered: