Use relative paths to fetch MR widget endpoints to avoid CORS
Note: I reproduced it on a local GDK installation, since there is no suitable place to test it elsewhere at the moment. So maybe it's just a false positive, due to something strange in the setup.
When loading a SAST report in the MR widget, I got the error Failed to load security report.
Looking at the requests, this seems to be the problem:
OPTIONS /root/test-project/builds/9/artifacts/raw/gl-sast-report.json HTTP/1.1 Host: 172.17.42.1:3000 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access-Control-Request-Headers: x-csrf-token,x-requested-with Origin: http://localhost:3000 Connection: keep-alive
The reply is:
HTTP/1.1 404 Not Found Content-Length: 2025857 Content-Type: text/html; charset=utf-8 Date: Mon, 18 Dec 2017 08:13:01 GMT X-Request-Id: 822d01ea-5c32-4f21-a14e-4da50e51dae5 X-Runtime: 0.826939
I'm not sure why we use
OPTIONS method for this request, but it seems that if changed into
GET we have the request to success (after a redirect):
HTTP/1.1 302 Found Location: http://172.17.42.1:3000/root/test-project/-/jobs/9/artifacts/raw/gl-sast-report.json ...
HTTP/1.1 200 OK Content-Disposition: attachment; filename="gl-sast-report.json" Content-Type: application/json ...