API calls on the PM1, CORS policy not set correctly

Remsus

Hi,

I'm looking into the Shelly 1PM for the first time. I'm a software engineer myself, and I'm looking to call the data from an application I'm developing by myself.

I see there's a setting called "Allow Cross-Origin Resource Sharing" under Internet & Security => Advanced - Developer Settings.

Effectively this adds Access-Control-Allow-Origin * to each request. However this doesn't seem to be sufficient to allow the CORS. I'm getting the following error when calling {ip}/status:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://192.168.2.4/status. (Reason: header ‘content-type’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).

I think the response is still missing the header Access-Control-Allow-Headers.

According to this answer on github that would be the solution(https://stackoverflow.com/questions/9459…gin-not-working), but it would be a software change for the Shelly 1PM.

Has anyone had a similar issue?

Would it be possible to manipulate the response headers from the Shelly 1PM.

Best regards,

Remsus

Seven of Nine

I haven't tested GET Request via Javascript for quite a long time but allowing CORS is IMHO a dirty workaround. Whenever you built a solution the browser is restricting access more and more.

If possible you should consider a server side solution with PHP, Python, or whatever you prefer as scripting language.

Example in PHP:

https://github.com/shelly-tools/shelly-php-proxy-examples

Remsus

Hi Seven of Nine,

Thank you for your advice.

I think you're right. It seems a little tricky to call the endpoint from my web app. A self-owned back-end solution seems more clean, so I'll go for that. I read up a bit more about CORS and this generally seems to be the right solution.