New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPFS API rejects HTTP-queries with User-Agent: Mozilla
but accepts User-Agent: IE
and other random string
#8539
Comments
This comment has been minimized.
This comment has been minimized.
Just in case bellow is full query exported from Chrome:
|
@dogada curl 'http://localhost:5001/api/v0/version' -X 'POST' -H 'User-Agent: Mozilla' -H "Origin: http://127.0.0.1:5001" (see sending the Origin header) The usage of I belive the reason to filter like that is that we don't want to force everyone (like python-ipfs-http-api or the go cli) to send Origin headers too. If there is a bug here, it's that IE doesn't have that applied, but anyway you shouldn't use IE and I'm not actually confident that IE correctly sends Origin headers. |
Try with origin being the API instead : Add this to your config (in the root object) and restart your node, that will allows access to your API by all websites (note that unsafe so please on do that for testing, ideally you whitelist the websites you trust) : "API": {
"HTTPHeaders": {
"Access-Control-Allow-Origin": [
"*"
]
}
}, |
This is a generic test. Due to SNAFU^Wlegacy reasons, all the major browsers send requests with User-Agent string that starts with As @Jorropo noted, when it comes to Origin isolation, the HTTP RPC API refuses requests coming from Origins other than the HTTP RPC API port. One can change this behavior by adjusting the I'm closing this, as this works as expected. Opened ipfs/ipfs-docs#959 to document the way HTTP RPC API uses Origin-based security in browser contexts. |
Checklist
Installation method
third-party binary
Version
Config
Description
I try to connect to IPFS daemon from Chrome browser and I found that default IPFS installation rejects queries when user agent is set to 'Mozilla' but accepts if user-agent is IE or other random string? I understand when requests are blocked by CORS policy, but what the reason to block Mozilla?
Do you have any example of config that allows to accept XHR-queries from browser?
The text was updated successfully, but these errors were encountered: