Port Visibility & CORS #15351

chadhietala · 2022-04-21T19:54:55Z

chadhietala
Apr 21, 2022

I spent the past couple days trying to figure out how to resolve a CORS related problem within Github Codespaces. Consider the following scenario:

App is served on port 3000 and is assigned the URL https://chad-my-project-abc231-3000.githubpreview.dev
API is served on port 7007 and is assigned the URL https://chad-my-project-abc231-7007.githubpreview.dev
From the browser app tries to fetch a todos from https://chad-my-project-abc231-7007.githubpreview.dev/api/todos

As of right now the only way you can do this is if you set the port visibility on the API server (7007) to Public. Both Private and Private to Organization seem to block the requests. I believe that there is a need to make the port accessible to the organization but not Public.

With Public Port Visibility

With Private to Organization Port Visibility

weiklr · 2022-05-17T02:55:06Z

weiklr
May 17, 2022

I have the same problem as well. anyone had any luck solving this without using public visibility?

0 replies

jan-grosser · 2022-07-05T17:39:55Z

jan-grosser
Jul 5, 2022

Unfortunately we have the same problem, did anyone find a solution?

0 replies

liorbrauer · 2022-08-28T15:15:53Z

liorbrauer
Aug 28, 2022

The only solution I have currently found other than manually setting this via the gui is running:

gh codespace ports visibility 3000:public -c $CODESPACE_NAME

In the codespace terminal. However, that only works once the port has been forwarded, and I still don't have a consistent way of automatically running the command once the server is up.

6 replies

mohdali Oct 1, 2022

gh codespace ports visibility 3000:public -c $CODESPACE_NAME

I tried this approach, but it doesn't change to public unless the port is already listening. So I have to wait till my API server is started then manually change to public.

Is there any way to predefine as public regardless of if the port is currently listening?

liorbrauer Oct 1, 2022

hey @mohdali (and anyone following this), I actually got it working consistently, but with kind of a hacky solution. Sharing here if anyone was looking for working solution:

Added a .devcontainer/devcontainer.json file and configured the ports I want to be made public to be auto-forwarded. This helps make sure that when we later run the gh codespace ports command it will take effect, since the port will already be assigned and forwarded (and doesn't need to wait for you to run your own process that assigns the port):

(devcontainer.json)

{
  "forwardPorts": [3000, 3001]
}

Then I also add a command to run a custom bash script file (setup.sh) under postAttachment script to be run when the container is first booted:

(devcontainer.json)

{
  "forwardPorts": [3000, 3001],
  "postAttachCommand": "/bin/bash .devcontainer/setup.sh",
}

In the setup.sh file I added I first tried just running the gh codepsace ports command (gh codespace ports visibility 3000:public -c $CODESPACE_NAME) but it still wasn't consistent. My suspicion is a timing/racing-condition issue. So to get around that I did kind of a hacky thing, I added the follow command to append the gh codespace ports command to the .bashrc file so that the command will run every time we open a terminal window. The code looks like this:

(setup.sh)

echo "gh codespace ports -c $CODESPACE_NAME" >> ~/.bashrc

This basically works consistently, but is kind of hacky. (Also, if your codespace users use zsh instead, you need to do the same for the ~/.zshrc file, etc.)

Hope this helps!

mohdali Oct 1, 2022

@liorbrauer thanks a lot for this. I can live with it in the meantime but I don't like how complicated it is and the main intention is to enable CORS not to make the API public.

Hope we will get a better way soon.

My aim is to allow users try the application in codespaces. So I need to reduce the friction as much as possible.

patrickkmatias Jan 20, 2023

I've faced this issue recently and I did create a open-port.sh script to open automatically in codespaces or gitpod after 5 seconds. With it I can call it only when it is needed like:

"dev:cloud": "./vite/open-port.sh & npm run dev",

Note that it is important to be used with the & operator (not &&) to run at the same time as the second command; otherwise the second command would be called only after the script has ran and would throw an error, because the port wouldn't be exposed yet.

#!/bin/bash
# After 5 seconds, turn Vite port to public and show no command output on CLI
sleep 5
if [ -n "$CODESPACES" ]; then
    gh codespace ports visibility 5173:public -c $CODESPACE_NAME > /dev/null 2>&1
elif [ -n "$GITPOD_WORKSPACE_URL" ]; then
    gp ports visibility 5173:public > /dev/null 2>&1
else
    echo "Neither CODESPACES or GITPOD_WORKSPACE_URL environment variable is set"
fi
#
# This script is intended to be used only in Browser cloud environment,
# because of a issue involving bad handled preflight requests when
# the port is private from Github and Gitpod parts.
# @see https://github.com/community/community/discussions/15351

acho1833 Jun 1, 2024

It's really weird that there's no official solution to this yet. Thanks for your script! Now I know 'sleep' command in bash!

mohdali · 2022-09-10T07:38:20Z

mohdali
Sep 10, 2022

Hi,

I'm facing the same issue. Is there any other solution to provide CORS headers without changing to public?

0 replies

omarkohl · 2022-11-10T20:33:28Z

omarkohl
Nov 10, 2022

As far as I can tell this is due to the fact that the preflight OPTIONS request is not supposed to contain authentication information (and the browser does not send it!), but the GitHub Codespaces server is expecting this info and otherwise rejects the request.

Preflight requests and credentials

CORS-preflight requests must never include credentials. The response to a preflight request must specify Access-Control-Allow-Credentials: true to indicate that the actual request can be made with credentials.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials

I ran into the same issue with Gitpod and made a detailed bug report for them, so far without response. gitpod-io/gitpod#14576 To me it seems to be exactly the same issue and considering how similar Gitpod and GitHub Codespaces look, I assume they are based on the same code base.

EDIT: As mentioned in a different comment, I created an example repository to reproduce this issue. https://github.com/omarkohl/gh-codespaces-cors

1 reply

liorbrauer Nov 10, 2022

As far as I can tell this is due to the fact that the preflight OPTIONS request is not supposed to contain authentication information (and the browser does not send it!), but the GitHub Codespaces server is expecting this info and otherwise rejects the request.

Preflight requests and credentials

CORS-preflight requests must never include credentials. The response to a preflight request must specify Access-Control-Allow-Credentials: true to indicate that the actual request can be made with credentials.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials

I ran into the same issue with Gitpod and made a detailed bug report for them, so far without response. gitpod-io/gitpod#14576 To me it seems to be exactly the same issue and considering how similar Gitpod and GitHub Codespaces look, I assume they are based on the same code base.

Interesting, I will take look at your reported issue, thanks for sharing!

Fwiw, you are correct, as far as I know gitpod basically wraps the vscode code base, so definitely similar issue (noticed it as well).

cmuto09 · 2022-11-11T00:05:20Z

cmuto09
Nov 11, 2022

Hey @chadhietala- thanks for the report!

This is a known issue, and we are determining the best approach to fix it. @omarkohl is exactly right that the underlying issue is the OPTIONS request not allowing authentication of org or private port based scenarios from the web-based IDE.

Using public ports will work, but you can also work around this by connecting to your codespace via VS Code Desktop rather than the web based browser. VS Code Desktop enables you to privately forward ports from your codespace to your local machine directly (at localhost:<port>). Using this method does not trigger the authentication flow that is blocking your current requests.

This workaround does not help for org-based ports though since those require publicly accessible URLs, which will fail on authentication again.

4 replies

omarkohl Nov 12, 2022

I created a Git repository with a minimal example to reproduce this with GitHub Codespaces. Can be used for debugging or to verify someday that the issue has been fixed. https://github.com/omarkohl/gh-codespaces-cors

davidlahuta Jul 20, 2023

So any progress on this?

jprosevear Oct 20, 2023

@cmuto09 circling around on this - is there a plan? Makes simple monorepo usage painful in a secure way.

billy1kaplan Feb 6, 2024

Any updates on this? This would be a really useful feature to have!

howieyuen · 2022-12-02T03:54:34Z

howieyuen
Dec 2, 2022

I disable chrome plugin: chrome://flags/#block-insecure-private-network-requests, and works for me!!!

2 replies

omarkohl Dec 2, 2022

This must be a different issue. The examples listed above don't use private IPs. You might run into issues with private IPs when forwarding to VS Code Desktop.

If you want to verify you can try https://github.com/omarkohl/gh-codespaces-cors in the browser only (without VS Code Desktop) and you will see disabling the "Block insecure private network requests" Chrome setting won't help.

o0stephen0o Jun 13, 2023

Since I need to work outside, which the computer can't be installed anything that I must use it on the web.
I disable the plugin and make the port I need to connect to be public
finally, they can connect and the CORS error was disappeared. Thanks for your help!

theforgottenwizard · 2024-02-23T08:34:42Z

theforgottenwizard
Feb 23, 2024

I spent the past couple days trying to figure out how to resolve a CORS related problem within Github Codespaces. Consider the following scenario:

App is served on port 3000 and is assigned the URL https://chad-my-project-abc231-3000.githubpreview.dev

API is served on port 7007 and is assigned the URL https://chad-my-project-abc231-7007.githubpreview.dev

From the browser app tries to fetch a todos from https://chad-my-project-abc231-7007.githubpreview.dev/api/todos

As of right now the only way you can do this is if you set the port visibility on the API server (7007) to Public. Both Private and Private to Organization seem to block the requests. I believe that there is a need to make the port accessible to the organization but not Public.

With Public Port Visibility

With Private to Organization Port Visibility

Helped me solve my problem. Thanks for sharing.

0 replies

Hetnon · 2024-03-26T04:30:52Z

Hetnon
Mar 26, 2024

so 2 years later and no answer??
is it serious that not every project trying to use codespace hit this wall?

1 reply

hamzashadeez Sep 21, 2024

This is weird really

Jhohny · 2024-10-25T23:40:17Z

Jhohny
Oct 25, 2024

In my case, port 5000 was still returning a CORS error even after stopping my container app. I ran lsof -i :5000 to check if something else was using this port locally, and I found the following running on port 5000:

$ lsof -i :5000
ControlCe 1800 mbp14    8u  IPv4 0xfe25a9e6585f8167      0t0  TCP *:commplex-main (LISTEN)
ControlCe 1800 mbp14    9u  IPv6 0x9bcddd7518115a5f      0t0  TCP *:commplex-main (LISTEN)

I discovered this process was related to macOS AirPlay. I changed my container app to use a different port, and that resolved the issue.

0 replies

Port Visibility & CORS #15351

Replies: 10 comments · 14 replies

Replies: 10 comments 14 replies