- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just wanted to add a bit more detail here, which hopefully can be relayed to the relevant engineers if they're not already aware.
The underlying issue is a cross-site request to the GitHub API to retrieve details for the vmw-loginsight/vlcp repository. The request fails with a HTTP 401 (Unauthorized) response. Why that is I'm not sure; it appears to be some odd CORS handling on GitHub's end. As Benedikt notes, it works if the Origin request header is an IP address instead of a hostname, and if you send the request using curl but strip the scheme from the origin (e.g. "Origin: my.vrli.site") it also works.
More problematically:
- The request uses basic authentication to the GitHub API. That means the credentials are embedded into the application. I won't post them here, but embedding plain GitHub account credentials seems questionable, if not necessarily a security issue.
- Basic Authentication to the GitHub API is already deprecated and is going to be outright removed later this year. So if the request weren't already broken, it's certain to break later this year when using this authentication scheme becomes unsupported.
