I already created an issue in the main LanguageTool repo, so apologies for duplicating, but I figured I'd open an issue here as well, in case anyone else is having hte same problem (or has before).

When trying to use my self-hosted LT server with the Firefox LT add-on, I get the following error from the LT pop-up: Cannot connect to https://grammar.my.domain/v2/check - please check your internet connection or try again in a minute (#1, code=0). However, when I try using the LT extension in Chromium with the same self-hosted LT server I don't have any problems. I am trying this using a fresh install of Firefox with no additional extensions installed and only the standard browser security setting.

I am running the LT server using this docker image reverse proxied using NGINX. I've tried building the image locally using the flag --allow-origin "*" instead of --allow-origin '*' since one of the LT devs mentioned that was an issue for them, but it hasn't made any difference. I start my container using a docker-compose yml with the following settings:

services:
  languagetool:
    image: erikvl87/languagetool
    container_name: languagetool
    ports:
        - 8010:8010 
    environment:
        - langtool_languageModel=/ngrams
        - Java_Xms=512m
        - Java_Xmx=2818m
        - langtool_pipelinePrewarming=true
        - langtool_pipelineCaching=true
    volumes:
        - /home/xthursdayx/languagetool/ngrams:/ngrams

I can't figure out why this is working in Chromium but not Firefox after having spent most of the afternoon loading and reloading websites, reading the browser console log, and adding and removing NGINX headers. It seems like this issue might be related to one (or both) of these two questions on StackOverflow: https://stackoverflow.com/questions/40185123/error-content-security-policy-the-page-s-settings-blocked-the-loading-of-a-res and https://stackoverflow.com/questions/56386307/loading-of-a-resource-blocked-by-content-security-policy but I'm not sure.

Any ideas how to troubleshoot this? Thanks!

For more information, here is the NGINX subdomain proxy conf I'm using:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl;

    server_name grammar.my.domain;

    include /config/nginx/ssl.conf;

    client_max_body_size 50M;

    add_header Strict-Transport-Security "max-age=31536000" always;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;

        add_header "Access-Control-Allow-Origin" *;
        set $upstream_app languagetool;
        set $upstream_port 8010;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

SSL.conf:

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA3>
ssl_prefer_server_ciphers off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_dhparam /config/nginx/dhparams.pem;

ssl_early_data on;

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

add_header Cache-Control "no-transform" always;
add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "1; mode=block" always;

and proxy.conf:

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect  http://  $scheme://;
proxy_send_timeout 240;

proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;

proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;

Hi @xthursdayx, I've just tested the Firefox add-on with the latest dockerized version of LanguageTool and I have no issues. I've tested this with both a local server and a remote one (within my LAN).

Since you mention it does work from Chrome, could a local firewall be rejecting the outgoing request from Firefox / the Firefox add-on? It doesn't sound like an issue with the Docker container.

HI @Erikvl87 Thank for the feedback. I agree that it doesn't seem like an issue with the docker image itself. I think it may be related to my NGINX setup and how Firefox deals with CORS vs Chrome. I was just hoping that maybe someone else had dealt with this issue in the past. Feel free to close this issue though, since it's not directly caused by the docker image.

If you happen to be running LT behind NGINX would you mind sharing your config so I can see if there is anything in my setup that differs which might be causing the problem?

I was getting the same issue, at first, without any reverse proxy: just the docker container from this repository.

Then, I took the main idea from this repository: maximillianfx/docker-nginx-cors

At one point, the error thrown by the DevTools console was that the CORS Allow-Origin directive was duplicated (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*, *') and that was true: in the response headers there was an 'Access-control-allow-origin' and an 'Access-Control-Allow-Origin' set.

To get rid of that, I ended up adding the proxy_hide_header 'Access-Control-Allow-Origin'; directive in the NGINX configuration, and now it works.

I've pushed the working setup to this repository: oyale/languagetool-compose

There, I've config the port mapping to match the expected URL from the extension option: Local server (localhost) - requires LanguageTool server running locally.