[
https://issues.apache.org/jira/browse/CB-10281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083080#comment-15083080
]
Patrick Mueller commented on CB-10281:
--------------------------------------
I didn't realize that was considered an error CORS could fix. Looking at the
CORS docs at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS , I
suppose this could be related to "enable cross-site HTTP requests for: ...
Scripts (for unmuted exceptions)", except I have no idea what "unmuted
exceptions" are.
Some further searching found this (green note):
https://w3c.github.io/webappsec-csp/#framework-directive-source-list - W3C
Content Security Policy Level 3: "Note: Though IP address do match the grammar
above, only 127.0.0.1 will actually match a URL when used in a source
expression (see ยง6.1.11.2 Does url match source list? for details). The
security properties of IP addresses are suspect, and authors ought to prefer
hostnames whenever possible." So, I think ip addresses will fail CSP tests.
But there's no mention there of CORS allowing the failure to permit further
processing.
I'd like to see if we can nail down that this is actually happening. Not happy
with making changes based on guesses, without knowing what's really going on.
Some questions:
* what version of the default Android browser are you using?
* are you using CSP?
* exactly what error are you seeing, and where are you seeing it?
I'm actually a bit hesitant to fix this, as this is a security consideration as
note by the CSP ref. If you REALLY REALLY want to do this, you can use
http://xip.io/ to reference a local ip address via a DNS resolvable name, which
should fix this for you.
> Allow CORS
> ----------
>
> Key: CB-10281
> URL: https://issues.apache.org/jira/browse/CB-10281
> Project: Apache Cordova
> Issue Type: New Feature
> Components: weinre
> Affects Versions: 3.5.0
> Reporter: Miquel
> Assignee: Patrick Mueller
> Priority: Minor
> Labels: easyfix, features, patch
> Fix For: Master
>
> Original Estimate: 5m
> Remaining Estimate: 5m
>
> I've created a pull request to allow CORS:
> https://github.com/apache/cordova-weinre/pull/10:
> {noformat}
> diff --git a/weinre.server/lib/weinre.js b/weinre.server/lib/weinre.js
> index a4ca11c..036df78 100644
> --- a/weinre.server/lib/weinre.js
> +++ b/weinre.server/lib/weinre.js
> @@ -133,6 +133,11 @@ startServer = function() {
> });
> app.use(express.favicon(favIcon));
> app.use(jsonBodyParser());
> + app.use(function(req, res, next) {
> + res.header("Access-Control-Allow-Origin", "*");
> + res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With,
> Content-Type, Accept");
> + next();
> + });
> app.all(/^\/ws\/client(.*)/, function(request, response, next) {
> var uri;
> uri = request.params[0];
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org
