Unable to make rest api request due to server not setting correct CORS rules.

  • I am working on a small local webpage to switch my digital switches by hand.

    As the rest api documentation says I sent this request:

    Code
    var xhttp = new XMLHttpRequest();
    xhttp.open("GET", "http://ip/status", true);
    xhttp.send();

    Which my browser quickly blocks, since the data that is returned does not have the correct CORS headers. I can send a header from the client, like this:

    xhttp.setRequestHeader("Access-Control-Allow-Origin", "*");

    But even then the server does not reply with the correct headers, and the request is still bocked.

    In the settings of the shelly wabpage I cannot find any information on how to turn on the correct CORS headers.

    • Offizieller Beitrag

    Hi @henk , welcome to the forum. :)

    MQTT is unfortunately not my topic, but I'm shure, anyone else will help.;)

    (perhaps 87insane )

  • Hey...

    i dont unterstand the Problem. Can you give us more Information pls?

    Why your server send false headers? Why you use this way, if you can use ready Systems (iObroker, fhem,.....).

    This is http get and not mqtt but i think that can be a way. Wich System you use?

    The correct Header is shown in the Doku. Are you programer or beginner? I quest, because in normal, a programer can read and use the Doku. Iam not a programer but with more Input, i think we can help :)

    Greatz,

    Kai

    Prime-SmartHome-Solutions

    Selbstständiger SmartHome Berater. Von der Beratung bis hin zur Einrichtung

    :thumbup: Bei Fragen, einfach via PN melden :thumbup:

  • Thank you both for your replies.

    I am indeed using http and not MQTT, but since they are basically the same it doesn´t matter for the request syntax.

    I am not using other systems like iobroker, fhem, or home assistent. Because I don´t like how they work and they are too slow/large for the older devices that run the screens that these switches run on.

    I have made my own simple webpage that communicates with a php server I have set up myself.

    The issue is here that the shelly itself is not setting the correct header in the response to API requests. I assume that these other services just ignore this security issue and continue anyways, but since my webpages are running in up-to-date browsers I cannot circument this myself.

    I do not know in what language your server is written in. But your response should always (for public facing apis) include this header: 'Access-Control-Allow-Origin: *'.

    This is because a device that makes a request to this server first checks with that header whether or not it should allow the data to be loaded. For security purposes any up-to-date browser should not allow requests to a server that does not explicitly state (with this header) that this location may make a request.


    According to this page here: <https://shelly-api-docs.shelly.cloud/#shelly1-1pm-relay-0>

    I should be able to send a request like this: "http://<IP>/relay/0?turn=toggle" to toggle the shelly. And this does work, but the shelly webserver also returns some data: ¨{"ison":true, "has_timer":false}¨

    The browser sees this data and attempts to read the Cross Origin Content Security header.

    If this header contains something that is either the sameas my IP, OR is a * character (which means allow everything) the browser will let this response through.

    If however, and this is what happens now, such header is not on the data. The browser will detect security issue, post this to the log, and error out the webrequest.

    You could help me by:

    Telling me where the source code for the firmware can be found. (I may be able to add it myself if it is open source)

    Or tell the team that works on this firmware to add this header to the request.

  • Hmmm.. The first Part of your answer are very interesting for me. (Sorry for my english)..

    Nice ideas!!

    Its the jason string the Problem...hmmm ... Iam not a professional programer. But you can try to contact shelly support on shelly.cloud. you can easily do that via Chat on thier www side.

    The support is great and not like T-Mobile :P.

    Other way... Look into the fhem mqtt2server Modul. If the syntax is no problem for you, you can transfer it. Fhem SVN in Google...its Open Source.

    Prime-SmartHome-Solutions

    Selbstständiger SmartHome Berater. Von der Beratung bis hin zur Einrichtung

    :thumbup: Bei Fragen, einfach via PN melden :thumbup:

  • Dieses Thema enthält einen weiteren Beitrag, der nur für registrierte Benutzer sichtbar ist.