Http client CORS (AB1)

Hello everyone, I have a problem with connecting to a local address (to see the status of a shelly device)

The url is: http://192.168.1.151/relay/0

when open url from browser chrome i see this

if i try to do it from the app, creating an http client i get response "null - 1" CORS problems, is there any way to solve the problem?

I noticed that the requests are different, from browser the type is document, from application instead it is XHR (maybe it's normal)

as you can see from the screen, I tried to insert some headers, but the problem was not solved

PS: I also tried to insert further request method: GET and add other header Access-Control-Allow-Origin: *

Hello Andrea,

The problem with CORS is not to place the right header in the client side, but in the server side. So it's the server who must set the appropriate CORS permissions. You can find more information at this web page, which explain how to set the CORS permissions in various servers. If you can't handle this using your server's, but, your server can run PHP scripts (for example), then you can try to set the CORS permissions from a PHP script, so you can call to that script, who can also make the appropriate reading of the URL that you wanted, something similar like below:

I write here to avoid creating new threads, since the argument is always an HTTP request.

Hi David and all, hope all is well, 1 million dollar question.

I noticed that if I send an HTTP request from (AB1) to a server that is not connected, the error response times are quite long (about 6 seconds) from android or ios APP.

Is this something that can be resolved from the client element (without using a timer), or do you necessarily have to make the request some other way?

Thank you

Hello Andrea,

For the case of AB1, you can certainly establish a timeout for the request like below:

So the above establish 10 seconds of timeout, means if after 10 seconds the server did not respond the Error event of the Http Client is fired with a "Status = -1" and "Response = null".

Hi David and company, unfortunately I have to go back to this discussion.

I have a problem, which I explain in the simplest situation in which I find myself.

For simplicity I have created an example to reproduce the problem (AB1).

With a button that starts an HTTPclient (to a local server, http://192.xxx.xxx.xxx/test.php)

Inside the file php I just have this.

If I run from a browser with a local url, I have no problem getting the answer.

If I put the app online, I have problems with corss when httpclient connect to local ip (The online domain it points to is intentionally HTTP and not HTTPS, also to avoid various mixed problems).

Hello Andrea,

I am not sure that the problem are related with CORS. If you think that because you can see the "Referrer policy: strict-origin-when-cross-origin" in the Header tab of the developer console, that do not mean you have a CORS related problem. If you try with the Http sample app of AB2, for example, you will see the same in the Header tab, but the app works as expected.

So, if I am not wrong, the problem is related with something else. Are you tried, for example, to prepare your script like below?

The idea is that you can see the "Hello from the script": if you can see that, then the problem can be with the "readfile" PHP function, for example. It's difficult to say what can happen, but, if I am right, there is not a CORS related problem. So try what I suggest and post here if you really can see the "Hello from the script" message. Look also if the script can be certainly reached by the app, that is, be sure the script offer a 200 HTTP status code and not other like 500, 404, etc.

Well, I'm happy to contribute to the problem I had. (even if you will eventually realize that it is a dirty solution)

I try to be as clear as possible.

1) The mission was from an online web app located in any public domain (no ssl), to be able to make requests to your local private web server (no ssl).

(clearly to work the client browsing the public domain had to be connected to the same wifi or lan network as the webserver).

So the ip of the connected machine (client) xxx.xxx.1.x and web server in the same family of xxx.xxx.1.x).

The problem that I had never encountered before is that requests from the web app present in a xxx.domain.xxx domain to the local web (xxx.xxx.1.xxx) server gave CORS security errors.

The reason is now clear, explained on this page (there are others similar)

https://developer.chrome.com/blog/private-network-access-preflight/

In practice, now for security reasons to do what has been said we must apparently start from the assumption that the web domain and web server must be in SSL.

And also new automatic headers are introduced before the classic browser requests (Chrome and Edge),

while on Firefox (still briefly it will work without any changes)

Access-Control-Allow-Private-Network, InsecurePrivateNetworkRequestsAllowed.

In practice, if the http request is made from an online webapp to a local webserver (connected in the same network as the client), the request is passed with a PRIVATE status, which at that point requires additional checks, such as those above.

All this I understand from the requests that are displayed in the header and from this clear message from chrome.

Having said that I have not solved it cleanly, because in my opinion I should have ssl both online and local and my webserver does not have it, and among other things I could not point to a localhost but to a specific ip.

The dirtiest but effective solution I have found is to overcome the security problems of the online domain in question by creating some keys in the windows registry:

This way I solved the problem.

I know it's not programming, but it's still been a solution for me. (solve a problem on a specific pc)

Thanks for sharing this with us, Andrea! ;-)