Skip to content

Support configuring additional allowed origins #498

New issue
New issue
Open
#499
Open
Support configuring additional allowed origins#498
#499
@Thunder33345

Description

@Thunder33345
Thunder33345
opened on Nov 14, 2024

It should be possible for users to change the allowed CORS origin that the server will accept
I have been using sideloaded aw-web-watcher extension for my Chromium browser for a long time, and it worked without any issue until I migrated to aw-server-rust.

Proposed solution

Allow user to manually add regexes so that they can allow their own sideloaded extensions to access the server

Why this is necessary for my workflow:

I use a custom sideloaded extension because I am using Vivaldi, an alternative Chromium browser, which the aw-web-watcher seems to have issues with tracking hostnames properly.

Relevant issue: ActivityWatch/aw-watcher-web#132, ActivityWatch/aw-watcher-web#102

Therefore, I decided that sideloading will patched hardcoded values be the simplest fix while I wait for a proper fix, which still seems to be missing as of now

The ability to support other extension ids is crucial for me to keep tracking my Chromium web activities.

Problem

It took me an extended period of time to notice that my Chromium browser is no longer showing up on activity watcher partially because my firefox extension was still logging activities as usual.
Only when I explicitly searched for my chromium activity, that I noticed it is now missing.
So it had been on endless retrying loop forever since I migrated to rust.

Tracking down the error in the extension shows the below, which isn't helpful

{
  "error": {
    "code": 403,
    "reason": "Forbidden",
    "description": "The server refused to authorize the request."
  }
}

Peeking at the server logs showed this message

[2024-11-14 14:28:29][�[31mERROR�[0m][rocket_cors::fairing::_]: CORS Error: Origin 'chrome-extension://jmdbkmbphoikckgkcnpoojbfeiaoaocl' is not allowed to request

Checking the source code revealed this
https://github.com/ActivityWatch/aw-server-rust/blob/master/aw-server/src/endpoints/cors.rs#L16-L21

    let mut allowed_regex_origins = vec![
        "chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi".to_string(),
        // Every version of a mozilla extension has its own ID to avoid fingerprinting, so we
        // unfortunately have to allow all extensions to have access to aw-server
        "moz-extension://.*".to_string(),
    ];

I did saw this line, which seems to allow any chromium extension when in testing mode but that does not seem like the intentional use case for said flag

    if config.testing {
        allowed_regex_origins.push("chrome-extension://.*".to_string());
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions