Can no longer use insecure wallabag host
It appears that a policy change has occurred that is blocking the use of insecure (HTTP) wallabag hosts.
Firefox insists on upgrading the connection to a secure one:
Port disconnected, attempting to reconnect... 7 [options.js:618:21](moz-extension://80181e0a-fd54-445f-b441-3f2623d4b296/js/options.js)
Content-Security-Policy: Upgrading insecure request ‘http://192.168.1.3:4513/developer’ to use ‘https’
Uncaught (in promise) TypeError: NetworkError when attempting to fetch resource.
did you recently upgraded your Firefox or your wallabag? Which wallabag version?
Have you tried to define an exception in Firefox settings under 'HTTPS-Only Mode'
Same problem. It broke today, presumably when upgrading Wallabagger to 1.19.0. (Nothing else changed - e.g. Firefox settings and Wallabag host version.)
@dleslie and @angelaambroz can you try with this old version https://addons.mozilla.org/firefox/downloads/file/4253375/wallabagger-1.17.0.xpi please?
Yep - fixed for me on 1.17.0. Thanks!
I pushed a rollback. Everything should work as expected with v1.19.2.
Hi @angelaambroz can you try the beta version to let us now if it works as expected on an insecure context please? You can pick it here.
Closing because it shouldn't be an issue anymore. Feel free to reopen it if you need it.
Hi @Simounet, I'm using the 1.20.0 version on Firefox and have the same problem. Tried the 1.17.0 and works fine. My problem is with the URL check in the extension settings. When I click the "check URL" button, the loader starts and remains there for ever. On inspector, network tab, I see the error: CORS Failed
Where can I find the 1.19.2 version to test it? On https://github.com/wallabag/wallabagger/releases I don´t see the xpi link and on https://addons.mozilla.org/fr/firefox/addon/wallabagger-beta/ I only see the 1.20.0.2 beta version. Thanks!
@dodo67
- have you tried with the beta?
- You can download older xpi on the 'version' sub-page of the Mozilla addon page 'https://addons.mozilla.org/en-US/firefox/addon/wallabagger/versions/
@dodo67 1.19.2 was a rollback to 1.17.0 (we can't do proper rollbacks in extensions, going forward is mandatory). It's tricky for me to reproduce it because I have only secure connexions so HTTP requests upgraded to secure ones through CSP.
* have you tried with the beta? * You can download older xpi on the 'version' sub-page of the Mozilla addon page 'https://addons.mozilla.org/en-US/firefox/addon/wallabagger/versions/
Hi @HolgerAusB , Thank you for the versions archive URL, from there I installed the 1.19.2 and it works perfectly. The only beta version I see is the 1.20.0.2. I tried that but it does not work.
@dodo67 1.19.2 was a rollback to 1.17.0 (we can't do proper rollbacks in extensions, going forward is mandatory). It's tricky for me to reproduce it because I have only secure connexions so HTTP requests upgraded to secure ones through CSP. Would you mind sharing your wallabag's instance with me so I can debug it? If so, you can send me a mail: wallabagger at myusername dot net.
Hi @Simounet, sorry, my Wallabag instance is on a local network and is not exposed to the internet. When I am away from home, I use a VPN to access the local network. I think it would be too complicated for me to configure everything to make Wallabag accessible to you.
I understand. I'm working on a fix.
Hi @dodo67 @vrachnis @jedfonner could you try this version? You should be able to load it on Firefox Developer Edition or nightly (about:debugging#/runtime/this-firefox).
I've just released version 1.21.0 with fixes on it. Let me know if it's working for you.
Seems to be working well. Thanks for the quick response.
@jedfonner just to be sure, did you use the v1.21.0 or the beta version I uploaded in this thread?
just managed to re-test and the version that's already in the addon store (1.21.0) works without issues on firefox 👍
I went to the Manage Extensions page > Wallabag then clicked the gear and selected Check for Updates. I noticed the version changed to 1.21.0. I then tested and it no longer runs into the https error.
I noticed, however, that when I click "Check URL", it turns green but shows a link to "Or you can click here to fill in the credentials manually". I have to click that link to enter my credentials. I'm not sure what is supposed to happen instead - is there supposed to be some kind of automatic token acquisition that doesn't work on http?
@vrachnis Thanks for your feedback. Did you get the token selector or did you click on the link to enter the info manually?
@jedfonner Yes, you should have a select with your existing tokens. It's better than before, but I think there is still room for improvement.
Hi @Simounet sorry for the late reply. I just installed the wallabagger-1.20.0.3.zip version and it works perfectly for me too. Now I installed the 1.21.0. It works the same:
- I enter my wallabag url (with "use HTTPS"disabled) and click on "Check URL¨
- the "pick a client" select appear, I select one of the clients
- all the other input fields appear, I see Client ID and Client secret already filled but not editable, while user login and user password are empty
- I input user and password, then clcck on 'get token", all fields become green and on the right I see:
wallabag URL checked OK wallabag permission checked Agreed wallabag API version 2.6.13 wallabag API token Granted
Thank you!
No worries @dodo67 , thanks for your feedback. I'm closing this issue.