Invalid cors request

[matt734]

I have set up Yaade on my cloud server, and it is currently running via Apache2 using the URL https://example.com. Simultaneously, I am developing an springboot application on my localhost that utilizes CORS. The application will be accessible via https://localhost:8080.

In my application's configuration, I have added the following line: configuration.setAllowedOrigins(Arrays.asList(frontendUrl, "https://example.com"));

However, when I send a POST request from Yaade to https://localhost:8080/register, I receive an invalid CORS request error in the response body.

To address this issue, I attempted to modify the configuration line to configuration.setAllowedOrigins("*');, which resolved the problem. Even though I specified "https://example.com" as the allowed origin, which is where I access Yaade, I'm still encountering this issue.

I would appreciate assistance in understanding why I am facing this problem despite configuring the allowed origins correctly.

[rzorzorzo]

works for me.
Example:
Request:

curl "http://127.0.0.1:8092/_matrix/client/r0/keys/upload" ^ -H "Accept: */*" ^ -H "Accept-Language: en-US,en;q=0.9" ^ -H "Cache-Control: no-cache" ^ -H "Connection: keep-alive" ^ -H "Content-Type: text/plain;charset=UTF-8" ^ -H "Origin: chrome-extension://mddoackclclnbkmofficmmepfnadolfa" ^ -H "Pragma: no-cache" ^ -H "Sec-Fetch-Dest: empty" ^ -H "Sec-Fetch-Mode: cors" ^ -H "Sec-Fetch-Site: none" ^ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" ^ --data-raw ^"^{^ ... ^}^" ^ --compressed

Response:

HTTP/1.1 200 OK Content-Type: application/json Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Cookie Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin: * Date: Wed, 21 Jun 2023 20:23:34 GMT content-length: 43
Maybe your server is not returning:

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Cookie Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
So I do not think that this is a yaade issue, but an issue with your server application.

FYI: To debug the network communication between yaade and your application, assuming you are using the yaade extension in chrome as proxy:

Open chrome devtools (F12)
Application > Service Workers > See all registrations
Click inspect button.
This opens a new devtools window (for the extension)

The requests to your server are found in the network tab.

-- Ron

[DhayananthV]

works for me. Example: Request:

curl "http://127.0.0.1:8092/_matrix/client/r0/keys/upload" ^ -H "Accept: */*" ^ -H "Accept-Language: en-US,en;q=0.9" ^ -H "Cache-Control: no-cache" ^ -H "Connection: keep-alive" ^ -H "Content-Type: text/plain;charset=UTF-8" ^ -H "Origin: chrome-extension://mddoackclclnbkmofficmmepfnadolfa" ^ -H "Pragma: no-cache" ^ -H "Sec-Fetch-Dest: empty" ^ -H "Sec-Fetch-Mode: cors" ^ -H "Sec-Fetch-Site: none" ^ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" ^ --data-raw ^"^{^ ... ^}^" ^ --compressed

Response:

HTTP/1.1 200 OK Content-Type: application/json Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Cookie Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin: * Date: Wed, 21 Jun 2023 20:23:34 GMT content-length: 43 Maybe your server is not returning:

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Cookie Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS So I do not think that this is a yaade issue, but an issue with your server application.

FYI: To debug the network communication between yaade and your application, assuming you are using the yaade extension in chrome as proxy:

Open chrome devtools (F12) Application > Service Workers > See all registrations Click inspect button. This opens a new devtools window (for the extension)

The requests to your server are found in the network tab.

-- Ron

However it works when I allow from all origin using "*". The problem is when I allow only the host name of the yaade server where it is running. On the server cors is enabled for all origin. Attached the screenshots here.

[rzorzorzo]

hello,

check the request sent by yaade. it sets

Origin: chrome-extension://mddoackclclnbkmofficmmepfnadolfa

this is not the server where yaade is running., but the extension in the browser.
note that localhost on the yaade server would be the yaade server, not the pc where your browser is running.

so, try whitelisting chrome-extension://mddoackclclnbkmofficmmepfnadolfa in your application.

-- Ron

[rzorzorzo]

PS:
you may also try allowing private network access.

https://www.innoq.com/en/blog/cors-private-network-access/
https://stackoverflow.com/questions/76036487/spring-cors-filter-for-access-control-allow-private-network-not-working

[rzorzorzo]

PS:
some browsers/servers differenciate between localhost and 127.0.0.1.
so maybe try the latter.

[jonrosner]

Close due to inactivity.