New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net::ERR_FAILED with cross-origin embeds (Web/Chrome) #1008
Comments
Looking at The reason why this works in Flash Player is because Flash doesn't apply same-origin rules to initial SWF loads (in fact, it doesn't even use the same HTTP stack). This is the same rule that lets you hotlink images off of other domains. However, Ruffle isn't "trusted" code so it doesn't get to make any use of cross-origin data unless the server sends back a header saying that it's OK for us to use it. This applies for both the self-hosted and extension versions, because even the extension has to run in the "untrusted" world. |
This could be a problem given that flash heavy sites are naturally more likely to be older and unmaintained. Unfortunately, it looks like things are only going to get worse in Chrome's jihad to cripple extensions: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches |
@Couchy We don't use CORS bypass in Ruffle as-is, and I really would like to avoid doing so if I can. We can't run Ruffle isolated from the page it's attached to (unlike Flash Player, which sat behind a plugin API that pages had limited interaction with), so any attempt to support this usecase would effectively constitute handing the page an arbitrary cross-domain request mechanism. The closest thing I could think of would be a trusted extension URL that the untrusted Ruffle Player could shove in a shadowed iframe to request an opaque/
The number of questions here, even for a somewhat experienced webdev like me, would indicate that we should not support this in the extension, at least not by default. |
Something else I wondered about, maybe tangentially related - Is it possible to handle direct links to .swf files? If so, maybe there could be a right-click "Open in new tab" option that would bypass the CORS issues with embedding. |
Well, he found time to add three more vidya boards. And Flash in general is dead, isn't that why we're all here? But I will never not love me some lolicatgirls.swf. |
Generally I agree with @kmeisthax, in that we simply have to (and should) live within the security restrictions of the modern web, so these kind of issues will be unavoidable. However, I do think it's worth at least investigating if the extension could allow this via adding cross-domain permission for the extension, fetching data in the background script, and passing that data to a content script via a message. Even if this is possible, this not something I would want to allow in the build by default for the reasons @kmeisthax mentions (even if we fully mimic Flash's own security and crossdomain.xml restrictions). But perhaps this could be an additional option during compilation. |
I've dabbed in developing Firefox extensions in the past and this is definitely possible. |
Is it possible to "fake" the required CORS headers with an add-on? |
Yes, I was able to do this in the above mentioned issue. |
Could you please post a walk-through or a short tutorial? Thanks! |
@alexolog |
The zip you posted where? Obviously it would be much better if Ruffle did that natively. |
Here: #2167 (comment) Then follow the instructions to install an unzipped extension: https://ruffle.rs/#usage Note this is only for Chromium variants; I haven't tried it on Firefox. |
Yea, FF needs it's own extension, although most of the code is the same. I really believe that Ruffle should be doing it natively. The whole idea of preserving old (and by extension unmaintained) technology is not to expect the site operators to do maintenance. |
@kmeisthax I don't think specifically allowing just swf files requested by XHR Is too much of a security threat, do you? Another idea I had is that the extension could pass a randomly generated key to the Ruffle script to append to its XHR requests to identify them and allow them through. Not sure if it's possible to make said key visible only to the Ruffle script, though. |
I may just be missing it, but I can't seem to find where the documentation mentions this incompatibility with I had pointed out Ruffle to a network that has Flash files that made API requests across a domain via This can be filed as a new issue if desired. |
Most Flash content still on the net is left as an afterthought and is no longer supported on maintained. I do not believe that expecting site owners to update CORS rules on the server side is realistic, and therefore would like to see the option of overwriting CORS in Ruffle. |
@alexolog i think the problem is that CORS is a security feature. Extension stores likely won't allow Ruffle. Ruffle could have two versions though |
I agree in principle, but it makes Ruffle unusable on many sites. |
Plus, there'd be no point in even having an extension if everyone updated their site to use Ruffle. |
Console output:
Access to fetch at 'https://i.4cdn.org/f/owata.swf' from origin 'https://boards.4chan.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
core.ruffle.js:1 GET https://i.4cdn.org/f/owata.swf net::ERR_FAILED
The text was updated successfully, but these errors were encountered: