Skip to content

Fix fetching private extensions from bext

Administrator requested to merge extensions-private-registry into master

Created by: lguychard

Fixes #5185

Fetching private registry extensions from the browser extension was broken. The fix is twofold:

  • On the browser extension side, requests to fetch bundles from the private registry should include credentials. This fixed the 401 error that https://app.hubspot.com/contacts/2762526/company/768958849/ ran into...
  • ...but replaced it with a CORS error. This is because in extension_bundle.go, Access-Control headers were set to allow cross-origin access to bundles hosted on sourcegraph.com. These lax headers caused no issues with same-origin requests made from the self-hosted sourcegraph webapp, but broke cross-origin requests from the browser extension: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.. I fixed this by only downgrading these headers on sourcegraph.com.

Test plan:

  • Published an extension to the private registry of my local dev instance and activated it
  • Verified that the private extension bundle was correctly fetched from the browser extension on the code host.
  • Verified that the private extension bundle was correctly fetched from the webapp.
  • Verified that public extension bundles were correctly fetched from the browser extension & the webapp.

Merge request reports

Loading