[ https://issues.apache.org/jira/browse/CB-10281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083080#comment-15083080 ]
Patrick Mueller commented on CB-10281: -------------------------------------- I didn't realize that was considered an error CORS could fix. Looking at the CORS docs at https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS , I suppose this could be related to "enable cross-site HTTP requests for: ... Scripts (for unmuted exceptions)", except I have no idea what "unmuted exceptions" are. Some further searching found this (green note): https://w3c.github.io/webappsec-csp/#framework-directive-source-list - W3C Content Security Policy Level 3: "Note: Though IP address do match the grammar above, only 127.0.0.1 will actually match a URL when used in a source expression (see ยง6.1.11.2 Does url match source list? for details). The security properties of IP addresses are suspect, and authors ought to prefer hostnames whenever possible." So, I think ip addresses will fail CSP tests. But there's no mention there of CORS allowing the failure to permit further processing. I'd like to see if we can nail down that this is actually happening. Not happy with making changes based on guesses, without knowing what's really going on. Some questions: * what version of the default Android browser are you using? * are you using CSP? * exactly what error are you seeing, and where are you seeing it? I'm actually a bit hesitant to fix this, as this is a security consideration as note by the CSP ref. If you REALLY REALLY want to do this, you can use http://xip.io/ to reference a local ip address via a DNS resolvable name, which should fix this for you. > Allow CORS > ---------- > > Key: CB-10281 > URL: https://issues.apache.org/jira/browse/CB-10281 > Project: Apache Cordova > Issue Type: New Feature > Components: weinre > Affects Versions: 3.5.0 > Reporter: Miquel > Assignee: Patrick Mueller > Priority: Minor > Labels: easyfix, features, patch > Fix For: Master > > Original Estimate: 5m > Remaining Estimate: 5m > > I've created a pull request to allow CORS: > https://github.com/apache/cordova-weinre/pull/10: > {noformat} > diff --git a/weinre.server/lib/weinre.js b/weinre.server/lib/weinre.js > index a4ca11c..036df78 100644 > --- a/weinre.server/lib/weinre.js > +++ b/weinre.server/lib/weinre.js > @@ -133,6 +133,11 @@ startServer = function() { > }); > app.use(express.favicon(favIcon)); > app.use(jsonBodyParser()); > + app.use(function(req, res, next) { > + res.header("Access-Control-Allow-Origin", "*"); > + res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, > Content-Type, Accept"); > + next(); > + }); > app.all(/^\/ws\/client(.*)/, function(request, response, next) { > var uri; > uri = request.params[0]; > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org