core: CORS preflight request not supported on the /api/history endpoint

The problem

I’m trying to call the /api/history/* endpoint from a domain foo.com while API itself is on api.com.
I have added foo.com to the list of origins allowed to make CORS requests (http.cors_allowed_origins option).
The browser does a pre-flight OPTIONS request to api.com and gets a 405 Method not allowed response.

Here is an example request that is failing:

curl -i -X OPTIONS \
   -H "Origin:https://foo.com" \
   -H "Authorization:Bearer XXX" \
   -H "Access-Control-Request-Headers:authorization" \
   -H "Access-Control-Request-Method:GET" \
 'https://api.com/api/history/period/2020-09-05T19:18:25.683Z?end_time=2020-09-06T19%253A18%253A25.683Z&filter_entity_id=sensor.p8702n_kib_sec_received'

Environment

Home Assistant Core release with the issue: 0.114.3
Last working Home Assistant Core release (if known): -
Operating environment (OS/Container/Supervised/Core): Supervised
Integration causing this issue: history
Link to integration documentation on our website: https://www.home-assistant.io/integrations/history/

Problem-relevant `configuration.yaml`

http:
  cors_allowed_origins:
    - https://foo.com

Additional information

I’ve debugged this issue and found out that it’s because cors_allowed class property is not set on HistoryPeriodView (https://github.com/home-assistant/core/blob/b4bac0f7a0a881ece3b3bd06dbe8531a67f8c923/homeassistant/components/history/__init__.py#L443)

I’m not sure if that’s a bug or on purpose.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 6
Comments: 33 (3 by maintainers)

Commits related to this issue

Add cors_allowed for history component This allows making a cross-origin requests to /api/history/* REST API, same as is already possible for other REST APIs listed at https://developers.home-assista... — committed to rchl/core by rchl 4 years ago

Most upvoted comments

not stale

rchl on May 31, 2021

There hasn’t been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] on Mar 2, 2021

Sooooo, is this ever going to get fixed? Been over a year now and from what I’ve read a fix was there but the gods didn’t deem it adequate?

Also, I’ve found the exact same issue for the Calendar API, not sure if that’s relevant information or not. I assume it uses the same underlying code as the history API.

Andrerm124 on Nov 24, 2021

This might have already been fixed in #59360

bdraco on Jun 28, 2022

Currently running 0.118.3 and I face this issue sometimes.

Currently it’s working great, but other times when using the history API from tileboard I get API error, it’s pretty random when it does and doesn’t work.

I’m not sure if this helps but I’m currently using an https cors_allowed_origins is to include a non-https version also in the YAML:

http:
  cors_allowed_origins:
    - http://foo.com
    - https://foo.com

DeviousPenguin on Nov 23, 2020