New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set CORS to be an optional feature #12827
Conversation
Thx!! |
I think this is not a practical solution. I have over 10 devices at home, and I am using CORS with my local AJAX client. Now all the devices are all getting errors, due to CORS. |
I agree but as the CORS implementation in Tasmota has security issues, it is disabled by default. If you want to use it, you can compile by yourself enabling CORS. This patch is temporary until the CORS implementation in Tasmota got fixed. Please, see comments in the linked issue. Thanks. |
Thank for answering. I agree to disable CORS by default, but a user setting should have been enough, not to re-compile alle flavors I am using (tasmota, tasmota-lite, tasmota-it, tasmota-sensors). Or I have to fully re-code my AJAX client. |
Yes, I totally agree with you, but as explained in the bug report #6767, the security concerns about it are higher enough so as to not include it in any official firmware. It had already an user setting to enable or disable it, that was the command So, because of that, CORS support is not included in any official precompiled firmware until a proper fix is implemented. Anyway, all the code related to CORS has not been deleted. It is just not included. You can compile your own version adding CORS support by adding |
A workaround for some cases: |
Description:
As reported in #6767, CORS is not safely implemented in Tasmota, so until a better solution is submitted, with this PR we disable by default all code related to CORS. If any user want to enable it, just add
#define USE_CORS
in user_config_override.h file and compile. Just remember to set awebpassword
!Note: In a following PR (separated from this just for better organization) will be added a message telling the user when they don't have a password set.
Related issue (if applicable): #6767
Checklist:
NOTE: The code change must pass CI tests. Your PR cannot be merged unless tests pass