homie-esp8266: Configuration v2 fails due to CORS
I am trying to configure the latest dev-version of Homie 2 (f605adf).
When using the latest Configurator page v2 (03034c6) I am receiving an error in Chrome 63.0.3239.84 (Official Build) (64-bit) and other browsers:
Failed to load http://192.168.123.1/heart: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8000' is therefore not allowed access.
I could temporarily fix this issue by adding the following default headers after this line https://github.com/marvinroger/homie-esp8266/blob/develop/src/Homie/Boot/BootConfig.cpp#L18:
DefaultHeaders::Instance().addHeader(F("Access-Control-Allow-Origin"), F("*"));
DefaultHeaders::Instance().addHeader(F("Access-Control-Allow-Methods"), F("PUT, GET"));
DefaultHeaders::Instance().addHeader(F("Access-Control-Allow-Headers"), F("Content-Type, Origin, Referer, User-Agent"));
Please note: This is no the fix, it’s just a proof to make it work temporarily.
Some of the following requests are also failing then as calls to __sendCORS() will send these headers again.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 17 (14 by maintainers)
Commits related to this issue
- Fix #446 CORS Issue — committed to timpur/homie-esp8266 by timpur 6 years ago
- Fix #446 CORS Issue — committed to timpur/homie-esp8266 by timpur 6 years ago
- Upstream develop (#5) * :fire: Remove hardcoded keepalive - fix #301 (#314) Remove hardcoded KeepAlive for MQTT connection. Default value of 15sec is already present in AsyncMQTT library * :ra... — committed to euphi/homie-esp8266 by euphi 6 years ago
- Added example to determine interface inside callbacks (#446) — committed to gorec2005/homie-esp8266 by nouser2013 5 years ago
- Added ext-searchbox (Ctrl+F) search/replace functionality and -workers (live syntax checkers) to the ace editor - a standalone hack. if you don't need worker(s), modify line #446 of edit.htm .setUseWo... — committed to gorec2005/homie-esp8266 by lorol 4 years ago
Well, believe me or not, I was about to. ☺️ One condition, though: add your name on the manifests. 😌
Le jeu. 14 déc. 2017 à 21:20, benzino77 notifications@github.com a écrit :
@marvinroger assign this to me ? (how do you feel about making me a Collaborator ?)
@timpur thank you for all your hard work on this, it’s much appreciated! Hope to be able to start contributing myself very soon
@timpur yup I tested myself using your 2.1 branch fork and no CORS issues at all! Thanks for fixing that so quick!
And no this is not an issue security wise, as CORS is really useful for preventing malicious scripts, browser extensions/plugins, or even other JS code from making requests to a server it should not be. Being as though this is for iot device, this should be open as the requests are almost always going to be coming from somewhere other than the device, not from the device itself.
Really this just helps prevent issues surrounding wanting to use something like Cordova to send API calls, or some custom javascript
I say this from my 10+ yrs experience as sys/net admin, and running a hosting company since 2009
Right, there’s a CORS issue. What I don’t get, though, is why it used to work.
The code was only handling preflight CORS request (OPTIONS), so the config endpoint was the only one that was supposed to work… anyway, the fix is pretty simple: it’s just a matter of wrapping each request into something that sends the CORS header, and it’lol work everywhere.