Cross origin

When did CORS calls start getting rejected?

I believe they always were, at least for some endpoints. A few months ago when I was writing a custom UI I ended up having to run it through a Node server to get around CORS issues.

1 Like

I've been working on a custom UI for some time. As long as I told the browser, previously, that I wanted to let CORS through, I didn't have a problem. Now, no matter what I do, I can't hit the endpoints remote from the hub. I only need to do so during development as the UI lives on the hub in production. But I can't move forward with development at this point.

Hmmm...what do you mean by telling the browser that you wanted to let CORS through? I mean, since CORS headers are managed server side, there's not much to do on the browser.

In any case, though, you could do something like what I ended up with: create a simple server that will proxy requests from your app to Hubitat. A host-side server making requests doesn't care about CORS headers, so it can always talk to Hubitat, and your app can talk to your server.

1 Like

Ya that's not accurate. The CORS headers are set and accepted on the server and client. And modern browsers such as Chrome, Edge, Safari, etc are restrictive.

Generally if CORS is implicit at the server, the browser doesn't like it. If CORS is explicit the browser must be on the origin whitelist or all origins must be allowed.

In the case of an authentication header being present, all origins is not generally allowed by standard and an explicit origin definition must be in the whitelist.

You can sometimes get around the implicit policies by telling the browser to disregard them.
There are a few extensions for Chrome for example that do this for you. Or you can do it manually.

Ah, you meant completely disabling CORS in the client. I never considered that because I wasn't planning to have an app run from the Hubitat domain, although that would simplify some things.

And when I said they were always being rejected initially, I just meant that Hubitat was sending CORS headers, not that the server itself was explicitly rejecting cross-domain requests. That would be something new (to me).

It's probably Chrome that has changed, CORS is implicit on HE, it looks like.

Adding this to my shortcut gets me working again.
--user-data-dir="C:/Chrome dev session" --disable-web-security

Is there any reason why CORS can not be enabled on the HE? Seems no security risk and enables easier custom interface development. I couldn't get the standard Chrome Extension to work so ended up using a Node proxy server. Solves the issue but took me a while to work out ... good learning though :thinking:

Is there any hope of this being implemented on the server side of the hub?