From 0087764fc747d00b76264d333650eb08ef9d9a28 Mon Sep 17 00:00:00 2001 From: Ed Morley Date: Wed, 31 May 2017 22:08:41 +0100 Subject: Bug 1368739 - Make OrangeFactor extension work with SSO OrangeFactor is now behind SSO, so cross-origin requests to the API must use `withCredentials` to ensure the session cookie is sent if it exists. OrangeFactor's API permits this via appropriately set `Access-Control-Allow-{Origin,Credentials}` headers. Users will also now be reminded about the need to sign in via OrangeFactor first. Unfortunately there's no way to catch the SSO HTTP 302 separately from other failure modes, since: (a) the `XMLHttpRequest` spec doesn't allow for telling if a request redirected (b) the workaround (sniffing content-type of the response and seeing if it's `text/html` rather than `application/json`) isn't possible since BMO's CSP blocks the request to auth0.com. ...however this extension is going to be replaced once OrangeFactor is decommissioned, so meh. The redundant hiding of `#orange-graph` has also been removed. --- extensions/OrangeFactor/web/js/orange_factor.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/extensions/OrangeFactor/web/js/orange_factor.js b/extensions/OrangeFactor/web/js/orange_factor.js index c87339dc7..fa9411cf8 100644 --- a/extensions/OrangeFactor/web/js/orange_factor.js +++ b/extensions/OrangeFactor/web/js/orange_factor.js @@ -74,6 +74,9 @@ $(function() { var bugId = document.forms['changeform'].id.value; var request = { dataType: "json", + xhrFields: { + withCredentials: true + }, url: "https://brasstacks.mozilla.com/orangefactor/api/count?" + "bugid=" + encodeURIComponent(bugId) + "&tree=trunk" }; @@ -82,8 +85,7 @@ $(function() { getOrangeCount(data); }) .fail(function() { - $('#graph-count').hide(); - $('#orange-graph').hide() + $('#orange-count').text('Please sign into OrangeFactor first'); }); } -- cgit v1.2.3-24-g4f1b