XMLHttpRequest blocked by CORS Policy

Want to write your own code to work with a HDHomeRun or work with the HDHomeRun DVR? We are happy to help with concepts, APIs, best practices.
Post Reply
mcglynnj
Posts: 9
Joined: Fri Sep 18, 2020 5:28 am
Device ID: 12515AA4

XMLHttpRequest blocked by CORS Policy

Post by mcglynnj »

Hello everyone,

I've just began messing around with my HDHomeRun Quattro (model HDHR5-4DT) and HTML5 with an XMLHttpRequest object in JavaScript, and I have encountered an issue that most browsers will block data from being read from a different endpoint if that endpoint doesn't say in its response that it is permissible.

From what I read up, it would need this extra header in the device's response headers at the start of the stream:

Code: Select all

Access-Control-Allow-Origin: *
Is this a bug or is this by-design? Could this header be added in a future firmware update as a default or a configurable option?

signcarver
Expert
Posts: 10007
Joined: Wed Jan 24, 2007 1:04 am
Device ID: 10A05954 10802091 131B34B7 13231F92 1070A18E 1073ED6F 15300C36
x 28

Re: XMLHttpRequest blocked by CORS Policy

Post by signcarver »

[removed by moderator]
Last edited by signcarver on Fri Nov 19, 2021 8:44 am, edited 1 time in total.

nickk
Silicondust
Posts: 17458
Joined: Tue Jan 13, 2004 9:39 am
x 107

Re: XMLHttpRequest blocked by CORS Policy

Post by nickk »

Hi,

Is the app hosted locally within the same home network?

Nick

mcglynnj
Posts: 9
Joined: Fri Sep 18, 2020 5:28 am
Device ID: 12515AA4

Re: XMLHttpRequest blocked by CORS Policy

Post by mcglynnj »

nickk wrote: Fri Nov 19, 2021 8:40 am Hi,

Is the app hosted locally within the same home network?

Nick
If you mean within the same network subnet, yes, it's all-internal. It's all being done on the same machine on a local browser (localhost etc.) served via a web server running in the background.

signcarver
Expert
Posts: 10007
Joined: Wed Jan 24, 2007 1:04 am
Device ID: 10A05954 10802091 131B34B7 13231F92 1070A18E 1073ED6F 15300C36
x 28

Re: XMLHttpRequest blocked by CORS Policy

Post by signcarver »

They deleted my post (rather than offending parts) which may have shed some light... typically I see this from 2 reasons, the first is when one uses http discovery as cors policy at SD prevents one from using such (my previous post gave reasons why cors on their end was a "good" thing, even though I don't always like such restrictions, which I think is what caused it being removed).

The other is a recent issue with browsers based on Chrome (including Microsoft Edge) that prevents access to devices on your LAN (though I have gotten such to work in local intranets, there have been some locations I haven't). Is your local server being accessed by localhost or by its real subnet address (though it may not matter).

Typically I have found it best for the server to do most of the work server-side rather than the client do the work through Javascript.

nickk
Silicondust
Posts: 17458
Joined: Tue Jan 13, 2004 9:39 am
x 107

Re: XMLHttpRequest blocked by CORS Policy

Post by nickk »

What Origin (header) is being sent in the http request?

mcglynnj
Posts: 9
Joined: Fri Sep 18, 2020 5:28 am
Device ID: 12515AA4

Re: XMLHttpRequest blocked by CORS Policy

Post by mcglynnj »

signcarver wrote: Fri Nov 19, 2021 11:56 am They deleted my post (rather than offending parts) which may have shed some light... typically I see this from 2 reasons, the first is when one uses http discovery as cors policy at SD prevents one from using such (my previous post gave reasons why cors on their end was a "good" thing, even though I don't always like such restrictions, which I think is what caused it being removed).

The other is a recent issue with browsers based on Chrome (including Microsoft Edge) that prevents access to devices on your LAN (though I have gotten such to work in local intranets, there have been some locations I haven't). Is your local server being accessed by localhost or by its real subnet address (though it may not matter).

Typically I have found it best for the server to do most of the work server-side rather than the client do the work through Javascript.
I've attempted both; the resultant behaviour is the same.
nickk wrote: Fri Nov 19, 2021 6:14 pmWhat Origin (header) is being sent in the http request?
If the address is "http://127.0.0.1:8000/video/player.html" then "http://127.0.0.1:8000" is sent as the Origin's header value.

signcarver
Expert
Posts: 10007
Joined: Wed Jan 24, 2007 1:04 am
Device ID: 10A05954 10802091 131B34B7 13231F92 1070A18E 1073ED6F 15300C36
x 28

Re: XMLHttpRequest blocked by CORS Policy

Post by signcarver »

What json (or url) are you trying to retrieve when you get that error?(clean it up without information of deviceAuth and other "private" information)

The only one I am aware of for that response is my.hdhomerun.com/discover (and the url that redirects to). And I can understand why that will need to do such by design. However since my previous post was removed by moderator, I won't repost those reasons why it should have such a cors policy.

nickk
Silicondust
Posts: 17458
Joined: Tue Jan 13, 2004 9:39 am
x 107

Re: XMLHttpRequest blocked by CORS Policy

Post by nickk »

Hmmm... it sounds like we should be allowing origins that are from the local network. Will investigate further.

mcglynnj
Posts: 9
Joined: Fri Sep 18, 2020 5:28 am
Device ID: 12515AA4

Re: XMLHttpRequest blocked by CORS Policy

Post by mcglynnj »

signcarver wrote: Sat Nov 20, 2021 11:16 am What json (or url) are you trying to retrieve when you get that error?(clean it up without information of deviceAuth and other "private" information)

The only one I am aware of for that response is my.hdhomerun.com/discover (and the url that redirects to). And I can understand why that will need to do such by design. However since my previous post was removed by moderator, I won't repost those reasons why it should have such a cors policy.
It's directly to the receiving box (i.e. "http://device-hostname:5004/auto/v104/"), there is no internet access involved.
nickk wrote: Sat Nov 20, 2021 10:22 pm Hmmm... it sounds like we should be allowing origins that are from the local network. Will investigate further.
Appreciate it, Nick.

Post Reply