CORS Issue with Web Client

[alex-phillips]

I wrote a subsonic-compatible web UI which works great with Airsonic. I'm sure it would also work with gonic, but it looks like I'm getting some CORS issues in the browser.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gonic.mydomain.com/rest/getAlbum.view?f=json&c=qooxtun…15&u=USERNAME&s=I79q1o&t=TOKEN&id=56. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Would something like this be an easy fix? It looks like all of the errors in my console are for the getAlbum.view endpoint?

[sentriz]

can you try a curl --head "https://gonic.yourdomain.com/rest/getAlbum.view" there should be cors headers in the response.

I think it's set up right because gonic works with jamstash which probably does cors stuff (but maybe not?)

[alex-phillips]

Hmm, it does. Not sure what the issue is then. Here's the response from my gonic server vs my airsonic server:

Airsonic:

curl --head "https://airsonic.mydomain.com/rest/getAlbum.view?f=json&c=qooxtunes&v=1.15&u=USERNAME&s=OaUSpg&t=TOKEN&id=2"
HTTP/1.1 200 
Server: nginx/1.16.1
Date: Sun, 01 Dec 2019 16:58:41 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 7653
Connection: keep-alive
Set-Cookie: JSESSIONID=10F426E45CEC8640F5853E3FB4760CC0; Path=/; Secure; HttpOnly
Access-Control-Allow-Origin: *
Set-Cookie: player-61646d696e=4; Max-Age=31536000; Expires=Mon, 30-Nov-2020 16:58:41 GMT; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN

gonic

curl --head "https://gonic.mydomain.com/rest/getAlbum.view?f=json&c=qooxtunes&v=1.15&u=USERNAME&s=OaUSpg&t=TOKEN&id=2"
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Sun, 01 Dec 2019 16:59:05 GMT
Content-Type: application/json
Content-Length: 115
Connection: keep-alive
Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *

Any ideas what could be missing / different to cause this issue?

[sentriz]

hmm really not sure to be honest because the only header your thingy was complaining about CORS header ‘Access-Control-Allow-Origin’ missing
seems to be there

is your client open source? maybe I could try locally

[alex-phillips]

It is: https://github.com/alex-phillips/qooxtunes

For ease of use, you can spin it up in docker with the following:

version: '3'
services:
  qooxtunes:
    container_name: qooxtunes
    image: alexphillips/qooxtunes
    ports:
      - 80:80
      - 443:443

[alex-phillips]

Just FYI - the UI mimics old school iTunes, so it makes a TON of API calls to the backend server on startup to get the entire library worth of information (depending on the size of your library). Just fair warning :-P

[alex-phillips]

Have you had a chance to check this out? I can send you a link of my running UI instance if that'll help troubleshoot.

[sentriz]

hi! sorry it's taken so long. I grabbed qooxtunes (looks very cool)

it seems the cors errors were only happening for views which are implemented yet (getStarred) because my NotFoundHandler (for the subsonic code 70) wasn't using the cors, or any other middleware.

funnily enough, this is already fixed on this branch:
https://github.com/sentriz/gonic/tree/param_refactor

which I hope to merge very shortly. see #14

[alex-phillips]

@sentriz Great! Thanks for the update! Looking forward to the merge.

[sentriz]

hey that change should be on docker hub now. please re-open or make a new issue if something else has gone wrong. thanks!