Ajax call to server issue

[lyapounov]

Hi Simon

I am trying to make an ajax call from my website to rescan minimserver.

The call is the following:

Quote:$.ajax({
type: "POST",
url: 'http://192.168.73.33:9790',
contentType: 'text/plain',
data: 'rescan',
dataType: 'text'
})

etc

However, I have the following classic error returned:

Cross-Origin Request Blocked
Cors Header 'Access-Control-Allow-Origin' missing

Is it my call which is wrong, or is it the header which is missing on your server side ?
Thx !

[simoncn]

I have looked into this and it seems MinimServer would need to add an 'Access-Control-Allow-Origin: *' header to the HTTP response to make this work. I am a bit concerned about the security implications of making this change. If the POST request is "pre-flighted" by your browser (there are complex rules for when this is done), other actions by MinimServer would be required.

Is your website hosted locally on the same subnet as MinimServer or is it making the rescan request from a page accessed via the internet?

[lyapounov]

(13-07-2022 12:38)simoncn Wrote:  I have looked into this and it seems MinimServer would need to add an 'Access-Control-Allow-Origin: *' header to the HTTP response to make this work. I am a bit concerned about the security implications of making this change. If the POST request is "pre-flighted" by your browser (there are complex rules for when this is done), other actions by MinimServer would be required.

Is your website hosted locally on the same subnet as MinimServer or is it making the rescan request from a page accessed via the internet?

So far, my website is only accessed locally (I am currently in the US, but I have set-up a VPN at my home). This site is client server architecture, and I have a login and a password for any management of my music, so everything about management is pre flight. And yes, I had to add the 'Access-Control-Allow-Origin: *' to access my server, even if on the same subnet.

Now, I don't want to force you to open it. I have another solution, which is to make an exec statement on your script (I use php for my server side).

BTW, if you don't open it, no client server architecture can send the command. I was wondering BTW: when I press the "rescan" button on the lumin app, how does the app sends the request to your server ? I thought it would be this post, but not possible if you don't allow CORS rule.

So don't bother doing this.

Thx

[simoncn]

An app such as the LUMIN app or the mscript program can send an HTTP POST request using a TCP/IP socket connection. There is no cross-origin check for this. The cross-origin check is made only by a web browser.

Having thought about this some more, it is my understanding that opening this up by adding 'Access-Control-Allow-Origin: *' would enable anyone to host a public web page that could invoke a local rescan for MinimServer if the web page knew (or could guess) the local IP address of the MinimServer instance. This could happen in the background without the user being aware and would also enable any other MinimServer command to be run by an attacker.

[lyapounov]

(13-07-2022 14:11)simoncn Wrote:  Having thought about this some more, it is my understanding that opening this up by adding 'Access-Control-Allow-Origin: *' would enable anyone to host a public web page that could invoke a local rescan for MinimServer if the web page knew (or could guess) the local IP address of the MinimServer instance. This could happen in the background without the user being aware and would also enable any other MinimServer command to be run by an attacker.

That is the beauty but also the huge drawback of UPnP : when I am listening to my music, everyone on the network can change the music I am listening. This does not require knowing the IP and the port of minimserver, and is as boring, if not worst, than trying to hack the server itself ;-)

Thx Simon, I'll manage differently then.

[simoncn]

Everyone on the network? Do you mean your local network?

[lyapounov]

(14-07-2022 12:23)simoncn Wrote:  Everyone on the network? Do you mean your local network?

Yes of course !

Don't tell me you have never experienced listening music with a friend, and the friend saying "I want to listen to my music" and taking control on his smartphone...

Or funnier, two renderers, and the other person chooses your rendered instead of the other one, and bing again your music stops to another one.

So annoying; but there is nothing we can do; that is the price to pay for openness !

[simoncn]

At least you know who is doing these things and the person is unlikely to have malicious intent.

This would not be the case if any web page could mount an attack on your MinimServer installation without your being aware this is happening.

[lyapounov]

(15-07-2022 09:12)simoncn Wrote:  At least you know who is doing these things and the person is unlikely to have malicious intent.

This would not be the case if any web page could mount an attack on your MinimServer installation without your being aware this is happening.

I understand. But then you should tell on your web site that those calls do not work in client-server architecture, when called from another browser...