CORS error when trying to use the API

[omarruben]

Hi, i have the server under 192.168.1.190, did all configurations and working perfect
I am trying to use PUSH features, but I need the API working... I did.

when I call using AXIOS from other computer on the same network:

axios.post(http://192.168.1.190:8081/v1/vhosts/default/apps/app:pushes, {
title: "test",
description: "description",
},
{
headers: {
'Content-Type': 'application/json',
authorization :"Basic "+ btoa("urbano14")
}
}
).then(function (response){
console.log(response);
}).catch(function (error){
console.log(error);

    })

I got CORS error , "Access-Control-Allow-Origin’ missing" , where or how do I configure this on the server.xml?
thank you for your help...

[Keukhan]

@omarruben

Have you tested on the latest version of Chrome? We are aware that the CORS issue you reported has been occurring since the recent Chrome security update.
As a workaround right now, use the https protocol or use a different browser.

Thanks.

[omarruben]

I did, other browsers, updated versions.. still same error

[dimiden]

@omarruben
Since the OME API does not have CORS settings, it can be a problem if the browser calls the OME's API directly.
I will review whether to add CORS settings to the API server.

To add one explanation, the recent Chrome update has caused CORS errors for non-HTTPS URLs in certain situations.
It's a problem that occurs even though the CORS header is set, and the same problem is occurring not only in OME but also in Apache-based HTTP servers, so we are looking for workaround.

[basisbit]

As mentioned in previous issues about the API not supporting CORS: imho this is a feature, not a bug. Webclients should never query that API. Instead, you should put some proxy or relay in between which handles authentication/authorization using some temporary json web token or similar. Otherwise it is a) very easy to overload your server using DoS, b) very easy to get the API token which the webclient uses to query the API.

However, the documentation so far does not mention this, which probably leads to many users of OME using it in an insecure way...

[omarruben]

thank you, how I can use push video from OvenMediaEngine to ... Youtube using RTMP without using the API? , some configuration file??

[basisbit]

You can use the API, but at least put an Nginx reverse proxy or similar in front of that admin web interface, which handles user authentication. You can then have Nginx set the necessary header using something like add_header Access-Control-Allow-Origin *;

[dimiden]

@omarruben
I just implemented this feature and hope it works well! f82a315

[dimiden]

I reopened this task to close when it was confirmed that the problem was solved.

[getroot]

I'm closing this issue because it has been inactive for a long time since it was resolved. Please reopen this issue for further discussion.

[BenhinMwendwa]

How do you solve the error of being blocked by CORS POLICY ..........this is the error (Access to fetch at 'https://saavn.dev/api/songs' from origin 'http://127.0.0.1:5500/' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
index.js:32