Use relative paths to fetch MR widget endpoints to avoid CORS
Note: I reproduced it on a local GDK installation, since there is no suitable place to test it elsewhere at the moment. So maybe it's just a false positive, due to something strange in the setup.
When loading a SAST report in the MR widget, I got the error Failed to load security report.
Looking at the requests, this seems to be the problem:
OPTIONS /root/test-project/builds/9/artifacts/raw/gl-sast-report.json HTTP/1.1
Host: 172.17.42.1:3000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-csrf-token,x-requested-with
Origin: http://localhost:3000
Connection: keep-aliveThe reply is:
HTTP/1.1 404 Not Found
Content-Length: 2025857
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Dec 2017 08:13:01 GMT
X-Request-Id: 822d01ea-5c32-4f21-a14e-4da50e51dae5
X-Runtime: 0.826939I'm not sure why we use OPTIONS method for this request, but it seems that if changed into GET we have the request to success (after a redirect):
HTTP/1.1 302 Found
Location: http://172.17.42.1:3000/root/test-project/-/jobs/9/artifacts/raw/gl-sast-report.json
...HTTP/1.1 200 OK
Content-Disposition: attachment; filename="gl-sast-report.json"
Content-Type: application/json
...Edited by Filipa Lacerda