Can no longer use insecure wallabag host

[dleslie]

It appears that a policy change has occurred that is blocking the use of insecure (HTTP) wallabag hosts.

Firefox insists on upgrading the connection to a secure one:

Port disconnected, attempting to reconnect... 7 [options.js:618:21](moz-extension://80181e0a-fd54-445f-b441-3f2623d4b296/js/options.js)
Content-Security-Policy: Upgrading insecure request ‘http://192.168.1.3:4513/developer’ to use ‘https’
Uncaught (in promise) TypeError: NetworkError when attempting to fetch resource.

[HolgerAusB]

did you recently upgraded your Firefox or your wallabag? Which wallabag version?

Have you tried to define an exception in Firefox settings under 'HTTPS-Only Mode'

[angelaambroz]

Same problem. It broke today, presumably when upgrading Wallabagger to 1.19.0. (Nothing else changed - e.g. Firefox settings and Wallabag host version.)

[Simounet]

@dleslie and @angelaambroz can you try with this old version https://addons.mozilla.org/firefox/downloads/file/4253375/wallabagger-1.17.0.xpi please?

[angelaambroz]

Yep - fixed for me on 1.17.0. Thanks!

[Simounet]

I pushed a rollback. Everything should work as expected with v1.19.2.

[Simounet]

Hi @angelaambroz can you try the beta version to let us now if it works as expected on an insecure context please? You can pick it here.

[Simounet]

Closing because it shouldn't be an issue anymore. Feel free to reopen it if you need it.

[dodo67]

Hi @Simounet, I'm using the 1.20.0 version on Firefox and have the same problem. Tried the 1.17.0 and works fine. My problem is with the URL check in the extension settings. When I click the "check URL" button, the loader starts and remains there for ever. On inspector, network tab, I see the error: CORS Failed

Where can I find the 1.19.2 version to test it? On https://github.com/wallabag/wallabagger/releases I don´t see the xpi link and on https://addons.mozilla.org/fr/firefox/addon/wallabagger-beta/ I only see the 1.20.0.2 beta version. Thanks!

[HolgerAusB]

@dodo67

• have you tried with the beta?
• You can download older xpi on the 'version' sub-page of the Mozilla addon page 'https://addons.mozilla.org/en-US/firefox/addon/wallabagger/versions/

[Simounet]

@dodo67 1.19.2 was a rollback to 1.17.0 (we can't do proper rollbacks in extensions, going forward is mandatory). It's tricky for me to reproduce it because I have only secure connexions so HTTP requests upgraded to secure ones through CSP.

[dodo67]

@dodo67

* have you tried with the beta?

* You can download older xpi on the 'version' sub-page of the Mozilla addon page 'https://addons.mozilla.org/en-US/firefox/addon/wallabagger/versions/

Hi @HolgerAusB , Thank you for the versions archive URL, from there I installed the 1.19.2 and it works perfectly. The only beta version I see is the 1.20.0.2. I tried that but it does not work.

[dodo67]

@dodo67 1.19.2 was a rollback to 1.17.0 (we can't do proper rollbacks in extensions, going forward is mandatory). It's tricky for me to reproduce it because I have only secure connexions so HTTP requests upgraded to secure ones through CSP. Would you mind sharing your wallabag's instance with me so I can debug it? If so, you can send me a mail: wallabagger at myusername dot net.

Hi @Simounet, sorry, my Wallabag instance is on a local network and is not exposed to the internet. When I am away from home, I use a VPN to access the local network. I think it would be too complicated for me to configure everything to make Wallabag accessible to you.

[Simounet]

I understand. I'm working on a fix.

[Simounet]

Hi @dodo67 @vrachnis @jedfonner could you try this version? You should be able to load it on Firefox Developer Edition or nightly (about:debugging#/runtime/this-firefox).

wallabagger-1.20.0.3.zip

[Simounet]

I've just released version 1.21.0 with fixes on it. Let me know if it's working for you.

[jedfonner]

Seems to be working well. Thanks for the quick response.

[Simounet]

@jedfonner just to be sure, did you use the v1.21.0 or the beta version I uploaded in this thread?

[vrachnis]

just managed to re-test and the version that's already in the addon store (1.21.0) works without issues on firefox 👍

[jedfonner]

I went to the Manage Extensions page > Wallabag then clicked the gear and selected Check for Updates. I noticed the version changed to 1.21.0. I then tested and it no longer runs into the https error.

I noticed, however, that when I click "Check URL", it turns green but shows a link to "Or you can click here to fill in the credentials manually". I have to click that link to enter my credentials. I'm not sure what is supposed to happen instead - is there supposed to be some kind of automatic token acquisition that doesn't work on http?

[Simounet]

@vrachnis Thanks for your feedback. Did you get the token selector or did you click on the link to enter the info manually?

@jedfonner Yes, you should have a select with your existing tokens. It's better than before, but I think there is still room for improvement.

[dodo67]

Hi @Simounet sorry for the late reply. I just installed the wallabagger-1.20.0.3.zip version and it works perfectly for me too. Now I installed the 1.21.0. It works the same:

1. I enter my wallabag url (with "use HTTPS"disabled) and click on "Check URL¨
2. the "pick a client" select appear, I select one of the clients
3. all the other input fields appear, I see Client ID and Client secret already filled but not editable, while user login and user password are empty
4. I input user and password, then clcck on 'get token", all fields become green and on the right I see:

   wallabag URL checked OK wallabag permission checked Agreed wallabag API version 2.6.13 wallabag API token Granted

Thank you!

[Simounet]

No worries @dodo67 , thanks for your feedback. I'm closing this issue.