HLS CORS not working

[dorinclisu]

Which version are you using?

v0.16.2

Which operating system are you using?

OS

• Linux
• Windows
• macOS

Architecture

• amd64
• arm64
• arm7
• arm6

Describe the issue

JavaScript console:

Access to XMLHttpRequest at 'http://localhost:8888/test' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Server logs:

2021/06/04 16:20:50 I [0/0] [path test] [rtsp source] ready
2021/06/04 16:22:09 I [0/0] [HLS] [conn 172.18.0.1:64260] GET /test
2021/06/04 16:22:10 I [0/0] [HLS] [conn 172.18.0.1:64260] GET /test

Describe how to replicate the issue

Copy paste the source URL in this HLS player: https://hls-js.netlify.app/demo/

[dorinclisu]

Perhaps it could be useful to add "allowedOrigins" field in config.yml, with "*" being the default.

[Prakash2101]

I'm also facing the same issue.

[dorinclisu]

Upon more investigation, I think the problem is because the initial request to /test is redirected to /test/ with a 301 response instead of the expected 200 for CORS.
If we try to access http://localhost:8888/test/ directly there is no more CORS issue, but this is not an acceptable workaround because now the HTTP Basic auth is failing since /test/ is considered a different path than /test so it falls back to default path (all) which can have other credentials.

[dorinclisu]

Actually my understanding of HLS was incomplete.
The correct src url would be http://localhost:8888/test/stream.m3u8. And this plays the video if there is no read authentication.

But with auth, it doesn't work anymore.
config.yml:

paths:
  test:
    source: rtsp://wowzaec2demo.streamlock.net/vod/mp4:BigBuckBunny_115k.mov
    readUser: user
    readPass: pass
    sourceOnDemand: false
    sourceProtocol: tcp

Player logs:

Status:
0.071 | Loading http://user:pass@localhost:8888/test/stream.m3u8
0.102 | Loading manifest and attaching video element...
0.193 | Media element attached

Error:
Cannot load http://user:pass@localhost:8888/test/stream.m3u8 HTTP response code:401 Unauthorized
0.178 | A network error occurred: manifestLoadError

[Prakash2101]

When I play the HLS url https://164.22.4.77:8888/demo/stream.m3u8 on vlc player it is playable but when I try to access on browser/any online player it is giving me an CORS issue. Is there any workaround to run the HLS on any of the online player?

[aler9]

• The Access-Control-Allow-Origin is now inserted into every HTTP response (even redirects)
• a new parameter hlsAllowOrigin has been added to the configuration file

[dorinclisu]

Thank you, can you provide a nightly build to test or how to use the Makefile to build on my own?

Edit: I managed to build using make release but is there any way to limit the build to only one platform? Building for 6 platforms including some cross builds is rather slow.

[dorinclisu]

rtsp-simple-server_v0.16.3-2-gc900bc4_linux_amd64.tar.gz
rtsp-simple-server_v0.16.3-2-gc900bc4_linux_arm64v8.tar.gz
rtsp-simple-server_v0.16.3-2-gc900bc4_darwin_amd64.tar.gz
rtsp-simple-server_v0.16.3-2-gc900bc4_windows_amd64.zip

I tested and it still doesn't work properly with readUser and readPass.

2021/06/24 12:20:55 I [0/0] rtsp-simple-server v0.16.3-2-gc900bc4
2021/06/24 12:20:55 I [0/0] [RTSP] TCP listener opened on :8554
2021/06/24 12:20:55 I [0/0] [HLS] listener opened on :8888
2021/06/24 12:20:55 I [0/0] [path test] [rtsp source] started
2021/06/24 12:21:02 I [0/0] [path test] [rtsp source] ready
2021/06/24 12:21:26 I [0/0] [HLS] [conn 172.18.0.1:64704] OPTIONS /test/stream.m3u8
2021/06/24 12:21:26 I [0/0] [HLS] [converter test] opened
2021/06/24 12:21:26 I [0/1] [HLS] [converter test] is converting into HLS
2021/06/24 12:21:27 I [0/1] [HLS] [conn 172.18.0.1:64704] OPTIONS /test/stream.m3u8
2021/06/24 12:22:27 I [0/0] [HLS] [converter test] closed

Chrome devtools on custom HLS player page:

Request Headers

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: ro-RO,ro;q=0.9,en-US;q=0.8,en;q=0.7,de;q=0.6
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:8888
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Response Headers

Access-Control-Allow-Origin: *
Content-Length: 0
Date: Thu, 24 Jun 2021 12:21:26 GMT
Www-Authenticate: Basic realm="rtsp-simple-server"

General

Request URL: http://localhost:8888/test/stream.m3u8
Request Method: OPTIONS
Status Code: 401 Unauthorized
Remote Address: [::1]:8888
Referrer Policy: strict-origin-when-cross-origin

I also tried with hlsAllowOrigin: http://localhost:3000 and also tried w.Header().Add("Access-Control-Allow-Credentials", "true") in server.go but the behavior is still the same.

[aler9]

added in v0.16.4

[github-actions]

This issue is being locked automatically because it has been closed for more than 6 months.
Please open a new issue in case you encounter a similar problem.