Fix fetching private extensions from bext
Created by: lguychard
Fixes #5185
Fetching private registry extensions from the browser extension was broken. The fix is twofold:
- On the browser extension side, requests to fetch bundles from the private registry should include credentials. This fixed the 401 error that https://app.hubspot.com/contacts/2762526/company/768958849/ ran into...
- ...but replaced it with a CORS error. This is because in
extension_bundle.go
,Access-Control
headers were set to allow cross-origin access to bundles hosted on sourcegraph.com. These lax headers caused no issues with same-origin requests made from the self-hosted sourcegraph webapp, but broke cross-origin requests from the browser extension:The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
. I fixed this by only downgrading these headers on sourcegraph.com.
Test plan:
- Published an extension to the private registry of my local dev instance and activated it
- Verified that the private extension bundle was correctly fetched from the browser extension on the code host.
- Verified that the private extension bundle was correctly fetched from the webapp.
- Verified that public extension bundles were correctly fetched from the browser extension & the webapp.